As Data Breaches Continue, Merchants Face More Account Takeover Fraud
The year 2019 may go down as one of the worst for data breaches and account takeover fraud (ATO). These two types of crime go hand in hand, because fraudsters rely on stolen credentials to hijack consumers’ banking and shopping accounts — and merchants are paying the price.
The numbers for data breaches and account takeovers are dire. Among the data breach victims since the beginning of August: 100 million Capital One credit applicants, 198 million DealerLeads car buyers and almost every person in Ecuador, population 17.3 million. Meanwhile, ATO fraud losses in 2018 were 164% higher than in 2017, when they cost U.S. merchants and banks $5.1 billion, and that trend is expected to continue.
More Stolen Data, More Ways To Break Into Accounts
With so much stolen data available on the dark web, fraudsters have many options for taking over existing consumer accounts. They can hijack any accounts for which user IDs and passwords are exposed, of course. They can also use those credentials — manually or with botnets — to try to gain entry to other shopping, banking and social media sites. This is often easier than it should be, because most people (recent surveys say between 59% and 64%) use the same password for all their online accounts.
If the stolen data includes usernames or email addresses but not passwords, brute-force password cracking tools can generate rapid-fire guesses until they get it right. A botnet can crack an 8-character password in just a few seconds, opening the associated account to hijacking. If the data breach doesn’t expose any account login credentials, that doesn’t mean breach victims are safe from account takeovers.
Many data breaches, including the Capital One and DealerLeads breaches, expose consumers’ phone numbers. Most of us don’t think of phone numbers as sensitive information, but the recent spate of SIM swap attacks means we need to look at phone security differently now. In this type of attack, like the one that hit Twitter founder Jack Dorsey, scammers with a target’s phone number contact the wireless carrier they think is associated with the account. If they guess right, they can impersonate the customer and ask or bribe customer service to remotely change their SIM number to a new device.
Now the fraudster has the victim’s phone number linked to a device they own. That lets them break into the victim’s social media accounts, which may be linked to payment services and retail accounts. But SIM swaps also make it possible for fraudsters to hijack SMS two-factor authentication (2FA) messages and change passwords for email, banking and shopping accounts.
Exploiting 2FA this way allows criminals to take control over virtually every aspect of the victim’s digital life. The victims may find it difficult or impossible to recover their accounts. And because the accounts are associated with good customers, merchants may not realize they’ve been defrauded until the losses have piled up.
Protecting E-Commerce From ATO Fraud
ATO poses a complex challenge for e-Commerce merchants — detecting the fraud without alienating good customers with false declines or making it too difficult for legitimate customers to make purchases. One tactic is to help your customers keep their accounts safe. To do this you can:
- Require longer passwords for customer accounts, with a variety of character types, to make brute-force password cracking less likely.
- Require a username that’s not the customer’s email address, to reduce successful credential-testing by criminals working with stolen data.
- Offer two-factor authentication options besides (or instead of) SMS messaging, like authenticator app codes and codes sent via email. Like all security tactics that add friction during checkout, this requires close monitoring of your conversion rates and quick adjustment if they start to fall.
- Send customer alerts whenever there’s a contact information or password change request on the account.
Another set of tactics involves adjusting your fraud prevention program to look for ATO warning signs. Screen orders for recent changes in the customer’s email address, phone number, shipping address and shopping behavior. For example, if a longtime customer who normally buys small housewares for delivery to Los Angeles suddenly switches up their contact information and orders a stack of high-value gift cards for delivery to New Jersey, that transaction needs further review.
Fraudsters often use the same shipping address for multiple hijacked accounts and set up fake email addresses on a single domain, so if you see patterns across customer accounts, it’s time to investigate all the affected accounts for possible fraud. You can also use mobile-specific screening measures to compare device, geolocation and behavioral biometric history to the current mobile order. This can help detect ATO fraud enabled by SIM swapping. To avoid rejecting orders from good customers, add or expand your manual review process rather than automatically canceling those transactions.
As long as there are digital security weaknesses that criminals can exploit to access consumers’ accounts, account takeover will be a concern. But by understanding the signs of potential ATO fraud, carefully screening orders and keeping reliable lines of communication open with your customers, you can protect your business from this growing threat.