Blog / account takeover

How to limit the impact of account takeover

Fraudsters rarely target just one customer in an account takeover, and can often compromise hundreds of accounts at once. Here’s how we developed a way to quickly stop the spread of an attack and limit the number of customers affected.

How to limit the impact of account takeover

When a fraudster gains control of an account that belongs to a genuine customer this is known as an account takeover (ATO). Once they’re inside, fraudsters can make unauthorised transactions, sell the compromised accounts online and/or scrape personal information out of the account which can be sold. Often, an attacker will have a lost list of customer logins and use credential stuffing techniques to compromise many accounts at once, putting a large proportion of customers at risk.

Why ATO fraud is more challenging to recognise

With typical online payment fraud, a fraudster creates an account and uses stolen card details to make fraudulent orders. There are many subtle signals which a machine learning model or rules engine can use to identify them as a fraudster. However, with ATO, the account is initially genuine, and so the account activity often doesn’t cause alarm bells until the point that fraud occurs.

At this point, the customer may get in touch to tell the merchant that their account has been hacked. Or, as the merchant you might recognise the signs of an ATO incident like a huge spike in logins, or multiple accounts being logged into from a single device which has never been used before.

Blocking compromised accounts doesn’t solve the problem

Once you know an account has been compromised, you can block it and stop further orders. But this doesn’t solve the whole problem. What about the multiple other accounts which the fraudster was able to gain entry to? What if they commit another ATO and gain access to even more accounts?

And what about the individual victims - your customers - do you block their account from making future orders indefinitely? If you do, you could lose them for life.

The huge scale of ATO attacks means this approach is simply not sustainable, but you do need to do something to stop attacks. This dilemma was causing problems for a number of merchants, and so we developed a new solution.

Introducing Account Takeover reviews

Our solution was to create a way for Analysts to perform Account Takeover reviews. This is similar to the process of manually reviewing an account as fraud, but with a key difference. ATO reviews are based on specific customer activity, not the customer account itself.

You can now review customer activity as account takeover, these activities can be logins, orders, or devices used on the account.

Reviewing activity as Account Takeover in Ravelin

When you do an ATO review in Ravelin, you’ll see:

  • The login, order or device selected to review
  • the device associated with the order
  • any other orders placed using that device on that customer account

Order reviewed as Account Takeover

Account takeover review


If you review an order or login, Ravelin will identify the device associated with that activity and place an ATO label on that device.

It’s important that we are certain that we have the right device ID. The industry-standard practice is to capture a device fingerprint and transform/enhance it into a device ID. This means that devices with similar characteristics can be misidentified as being the same device.This can cause genuine customers to be blocked and increases the false positive rate.

Instead, our approach is to generate a device ID first and then associate the data collected for that device with the device ID. This means there is no way for two different devices to end up with the same ID. There, it’s safe and effective to label devices with ATO.

Preventing account takeover on other customer accounts

Now the device is labelled as ATO, all other future orders made by that device will be reviewed as ATO, even if they are made from another customer account. This allows you to create rules that limit the spread of ATO from a single device and limits the costs to your business and impact on customers.For example, you can create a rule that blocks the ATO device from being used to log in, or prevent orders from that device.

When you look at any of the customer activities reviewed as ATO, whether it is an order/device/login, you will be able to know if this was the original activity reviewed or if it's a review via a linked device. You'll also be able to see this in the customer network as well.


Undoing an Account Takeover review

Analysts should only use ATO reviews when they are certain ATO has happened, otherwise this could negatively impact the performance of the model. However, there’s always the chance that there could be a mistake or a reason for reversing the decision.

You can remove an ATO review by going to the order, device or login and select the option to "Undo review". Undoing an ATO review also removes the review on the device and any orders placed by the device.

Check out the account takeover insights page if you want to learn more, or to learn more about using the ATO review feature please get in touch!