Clearsale Blog | Insights on Ecommerce and fraud

The Capital One Breach and Account Takeover Fraud: What Merchants Must Know

Written by Chargeback & Fraud Protection Team | Aug 14, 2019

Another day, another security breach. This time the target was Capital One, one of the largest banks in the United States. The immediate victims were more than 106 million customers in the United States and Canada.

Most articles about this security breach focus on what consumers must do to protect their data in light of the breach. Very few address what these breaches mean for e-commerce merchants. Notably, one of the biggest issues with this breach is the dramatically higher amount of consumer data now available on the dark net.


With this new information available for easy purchase by fraudsters, e-commerce retailers must be more alert than ever to the signs and risks of account takeover fraud.

Here’s what merchants need to know about the latest breach and how they can protect themselves against the account takeover attacks that are likely to follow.

What Happened With Capital One?

In July 2019, 106 million Capital One customers in the United States and Canada were the victims of a massive data breach that compromised their Social Security numbers, credit scores and limits, payment history, credit card transaction data, and other personal information. While the breach likely occurred as early as mid-March, it wasn’t discovered until July 19.

The hacker allegedly gained unauthorized access to a cloud-based server and accessed personal data on not just Capital One credit card holders, but also anyone who had applied for any of the bank’s products. While Capital One said it was unlikely the stolen data was used for fraudulent purposes, the company is still offering free credit monitoring and identity protection to those affected by the breach.

When data breaches occur, account takeover fraud is almost certain to follow. For example, after Equifax announced the compromise of more than 143 million records in September 2017, there was an almost immediate 53% increase in account takeover fraud.

What Is Account Takeover Fraud?

Account takeover fraud occurs when a fraudster uses pieces of a victim’s identity, like their Social Security number or email address, to access and take over the victim’s account. While checking and savings accounts are often most at risk, fraudsters can also compromise online shopping, brokerage and loyalty accounts.

Unfortunately, it’s becoming easier than ever for fraudsters to get that sensitive information using methods such as:

  • Data breaches. Each breach gives hackers a virtually unlimited supply of personal information — including names, credit card and account numbers, and usernames and passwords — to compromise.
  • Unsecured wireless networks. Considering logging on to unsecured Wi-Fi? Fraudsters can capture their victim’s keystrokes as they log in to sensitive accounts.
  • Social engineering. Have you ever completed a Facebook questionnaire one of your friends posted? Customers may unwittingly share password-specific information — like their elementary school, hometown and best friend’s name — as they answer these questions. Hackers can use these details to answer the knowledge-based authentication questions required for changing account data.

Once hackers have the data they need, they’re free to change phone numbers, email addresses and other key account data, which effectively locks a customer out of their own account. That means these unsuspecting customers are often in the dark about how their bank accounts are being drained or new credit cards are being opened in their name.

How Merchants Can Prevent Account Takeover Fraud

But customers aren’t the only victims of account takeover. Online merchants can also be negatively affected by account takeover through increased false declines, additional checkout friction, and damage to brand reputation.

In all, account takeover fraud cost merchants and customers an estimated $5.1 billion worldwide in 2018, a 120% increase from 2017. It’s therefore critical that merchants implement new ways of protecting themselves and their customers. While no precaution is 100% foolproof, here are a few ways merchants can reduce their risk of being a victim.

Encourage Password Security

Help shoppers set up secure passwords on your website by allowing only passwords that use a combination of upper- and lowercase letters, numbers, and special characters. Just as important, encourage shoppers to use a unique password for each of their accounts and change them regularly. Hackers are less likely to be successful at compromising accounts if a customer is regularly changing passwords and not using the same one for each of their accounts.

Add Multifactor Authorization

Merchants can also offer multifactor authorization for customer accounts and encourage customers to use it. If they do, even if a hacker has the password to access a customer’s account, the hacker still needs full access to the customer’s mobile device or email to get the second code.

Be Cautious With Stored Payment Methods

While storing payment data can simplify the customer experience, it also puts customers at increased risk if your e-commerce website is compromised. Add security measures that require customers to re-enter credit card information if your system notices any changes to passwords, devices or browsers, or shipping or billing information.

Implement a Robust Fraud Prevention Program

When merchants have a plan in place to thoroughly screen transactions, they’ll be better able to not only prevent fraud losses but to also reduce false declines.

A fraud prevention solution that uses a variety of order-screening tools, is customized to the fraud profile of each sales channel, and combines human analysis and artificial intelligence can help catch fraudulent transactions before they’re processed.  By manually reviewing all suspicious orders instead of relying on automatic rejections, merchants can avoid high false decline rates and uncover account takeover fraud attempts.

A managed services solution may be just the approach your business needs to take to protect against the costly losses associated with account takeover fraud. Download our free eBook, “Is a Fraud Managed Services Solution Right for Your Business,” to learn more. If you still have questions after reading it, just contact one of ClearSale’s fraud experts. They’ll be happy to help you explore your options.