Solutions overview
Harness the power of your data
Support and investigations
Support services for Ravelin
Online payment fraud
Account security
Policyabuse
Marketplace fraud
3DSecure
Resource Zone
Deep dives on fraud & payments topics
API & developer docs
APIs, glossary, guides, libraries and SDKs
Global Payment Regulation Map
Track PSD2 & more with a full report
Blog
The latest fraud & payments updates
Insights
In-depth guides to fraud, payments & security
About Ravelin
Discover the story about Ravelin
Careers
Join our dynamic team
Customers
Read more about our happy customers
Press
Get the latest Ravelin news
Support & investigations
Accept more payments securely
Protect your customer accounts
Policy abuse
Stop policy abuse to protect your bottom line
Ravelin for marketplace fraud
3D Secure
Ravelin 3DS & SDKs
Resource zone
Global Payment regulation map
Read more about our happy custmomers
Blog / Account Takeover
An overview of how merchants should protect their customers from account takeover through credential stuffing and how weak security can result in reputational damage.
Share this article:
Over the years there’s been a rapid increase in the number of consumers that have fallen victim to account takeover. According to UK prevention service Cifas, identity fraud hit a record high of 174,523 cases in 2017, with 95% of takeovers involving the impersonation of an innocent victim.
Account takeover is usually a case of poor authentication, verification and weak password security, which has presented a wide open door for fraudsters to open new accounts with those stolen details, take over good accounts, and wreak havoc in a merchant's customer base.
This blog explains the implications for merchants and how should they protect their customers to ensure the security and safety of account details.
The most valuable asset for any e-commerce company is its customer accounts. Loyal customers mean repeated business and trust built between the brand and consumer. Good customers turn to brands they trust when searching for a product, spend time on their site and would confidently recommend that brand both socially and to their friends.
One of the biggest cost for e-commerce businesses is the cost per acquisition for new customers and getting them through the door. So once they have the good users, retaining them and keeping them on the site is key.
But as technology has advanced, so have customer expectations. A frictionless shopping experience is desirable, often essential, when ordering with a merchant.
Tech giant Amazon are a great example of providing a flawless shopping experience. Customers can make a purchase with 1Click and not submit further payment details. It’s a fantastic shopping experience for the customer.
However, think of the damage that can be done if this accounts gets in the hands of a fraudster - purchases can be made instantly and repeatedly without needing to provide payment details - read more about this here. Whilst Amazon are a great example of a merchant that breaks down the barriers between the desire to buy something and card abandonment, it also shows how important account security can be when providing this level of transaction.
In the past, the assumption has been that having weak account credentials is the consumers’ fault. We all are lazy. We use the same password across a variety of merchants, and that’s pretty normal - it’s hard to remember different symbols and keys for different logins.
E-commerce merchants should understand this and take the initiative themselves to bring new measures into effect and provide the security. Bringing in stronger authentication methods such as 2FA is a great way to keep the customer protected.
The epidemic of weak account security is spread across a variety of industries too. Gambling companies often report millions of credential stuffings every single day. There’s a tsunami of hacking going on. As consumers use the same combinations, fraudsters follow the exact same footsteps and use the same combo on lots of other merchants. And they have bots and machines to do this for them in incredibly efficient and cheap ways.
Companies should be using the same resources as fraudsters. There are over three billion username and password combinations available on the internet from the big data breaches and hacks over the years. Every merchant should gain access to this database and ensure that when a new customer signs up with them, they’re not permitted to use the same details if it had been compromised previously. Although this may cause a bit of temporary friction, the bigger picture of security outweighs any delayed account opening time.
And account security should be seen as a benefit and value add for companies - companies known for having bad security will quickly lose market share and people will avoid using them. Protecting the customer is essential for any brand who wants to succeed in the long run.
A great example of good account security is Google. If a new location has been used to log in to a customer's account, the customer gets an update. If someone is using a new device, consumers get a notification to confirm it is them. Companies have this data on the consumer and should be using it to protect against fraud.
A Javelin Strategy and Research Study that is focused on USA data states that Account Takeover (ATO) has grown significantly with total losses from ATO fraud hitting $5.1 billion in 2017. For merchants, it’s not just the cost of replacing goods or refunding payments - it’s also the time spent by support teams dealing with angry customers and other teams tackling the legal and operational fallout.
A loss of credibility goes a long way for a business known for bad security and weak account protection. And we’re only starting to see the beginning of it: this is going to become an even bigger problem with the explosive use of social media and customers taking to the platforms to complain about brands.
And it’s no longer only the larger companies that come with this level of responsibility. Merchants should ask themselves if they’re asking enough questions, analysing enough data and using machine learning techniques to track spending patterns. If an account suddenly starts going on a random spending spree then companies should intervene.
Whilst consumers don’t want to be morally lectured by a merchant, noticing an irregularity in spending is always worth asking the question if the account has been compromised, rather than risking losing a good customer. Consumers will appreciate being notified and indeed might come to expect it as public awareness of account takeover as it becomes more widespread.
On the other hand, we understand that account behaviour is a very difficult pattern to detect. Anomaly detection with machine learning requires anomalous behaviour to take place. It’s essentially just an account buying goods - and if the fraudster is sensible, they’ll adopt a `low and slow` approach. Small purchases first instead of making extravagant ones so nothing is flagged up in a merchants database. The ‘low and slow’ trend has become popular amongst fraudsters to impersonate the spending actions of a genuine customer. This reinforces the point that no single ATO defence on its own will be sufficient. A range of tactics deployed across the customer journey is the best way to protect the all-important customer lifetime value.
Merchants should provide security on a “Google level” to not allow odd behaviour. Dive deep into customer data and analyse behaviors. Use location and device sign-ins to build a picture of what's normal for the customers. Customers tend to have consistent shopping patterns - if something is strange then it should be challenged. It shows that the merchant values the customers’ details and cares about account security. And it’s always better to be safe than sorry.
To learn more about how account takeover works, check out our insights page here.
Alara Basul, Head Of Content
Blog / Fraud Analytics
Fraud prevention is a delicate balance between stopping fraud and maintaining good customer experiences. But what is the most effective way to measure this outcome?
Ravelin Technology, Writer
Blog / Machine Learning
Online payment fraud is one of the biggest threats facing grocery merchants. And it’s only gotten worse. How are fraudsters using the cost of living crisis to take advantage of your business?
There’s a new fraud threat on the rise – and it’s your customers. First-party fraud is infamously tricky to catch and a huge revenue risk. How can you detect and deter criminal behavior in your customer base?