Solutions overview
Harness the power of your data
Support and investigations
Support services for Ravelin
Online payment fraud
Account security
Policyabuse
Marketplace fraud
3DSecure
Resource Zone
Deep dives on fraud & payments topics
API & developer docs
APIs, glossary, guides, libraries and SDKs
Global Payment Regulation Map
Track PSD2 & more with a full report
Blog
The latest fraud & payments updates
Insights
In-depth guides to fraud, payments & security
About Ravelin
Discover the story about Ravelin
Careers
Join our dynamic team
Customers
Read more about our happy customers
Press
Get the latest Ravelin news
Support & investigations
Accept more payments securely
Protect your customer accounts
Policy abuse
Stop policy abuse to protect your bottom line
Ravelin for marketplace fraud
3D Secure
Ravelin 3DS & SDKs
Resource zone
Global Payment regulation map
Read more about our happy custmomers
Blog / Account Takeover
Fraudsters rarely target just one customer in an account takeover, and can often compromise hundreds of accounts at once. Here’s how we developed a way to quickly stop the spread of an attack and limit the number of customers affected.
Share this article:
When a fraudster gains control of an account that belongs to a genuine customer this is known as an account takeover (ATO). Once they’re inside, fraudsters can make unauthorised transactions, sell the compromised accounts online and/or scrape personal information out of the account which can be sold. Often, an attacker will have a lost list of customer logins and use credential stuffing techniques to compromise many accounts at once, putting a large proportion of customers at risk.
With typical online payment fraud, a fraudster creates an account and uses stolen card details to make fraudulent orders. There are many subtle signals which a machine learning model or rules engine can use to identify them as a fraudster. However, with ATO, the account is initially genuine, and so the account activity often doesn’t cause alarm bells until the point that fraud occurs.
At this point, the customer may get in touch to tell the merchant that their account has been hacked. Or, as the merchant you might recognise the signs of an ATO incident like a huge spike in logins, or multiple accounts being logged into from a single device which has never been used before.
Once you know an account has been compromised, you can block it and stop further orders. But this doesn’t solve the whole problem. What about the multiple other accounts which the fraudster was able to gain entry to? What if they commit another ATO and gain access to even more accounts?
And what about the individual victims - your customers - do you block their account from making future orders indefinitely? If you do, you could lose them for life.
The huge scale of ATO attacks means this approach is simply not sustainable, but you do need to do something to stop attacks. This dilemma was causing problems for a number of merchants, and so we developed a new solution.
Our solution was to create a way for Analysts to perform Account Takeover reviews. This is similar to the process of manually reviewing an account as fraud, but with a key difference. ATO reviews are based on specific customer activity, not the customer account itself.
You can now review customer activity as account takeover, these activities can be logins, orders, or devices used on the account.
When you do an ATO review in Ravelin, you’ll see:
If you review an order or login, Ravelin will identify the device associated with that activity and place an ATO label on that device.
It’s important that we are certain that we have the right device ID. The industry-standard practice is to capture a device fingerprint and transform/enhance it into a device ID. This means that devices with similar characteristics can be misidentified as being the same device.This can cause genuine customers to be blocked and increases the false positive rate.
Instead, our approach is to generate a device ID first and then associate the data collected for that device with the device ID. This means there is no way for two different devices to end up with the same ID. There, it’s safe and effective to label devices with ATO.
Now the device is labelled as ATO, all other future orders made by that device will be reviewed as ATO, even if they are made from another customer account. This allows you to create rules that limit the spread of ATO from a single device and limits the costs to your business and impact on customers.For example, you can create a rule that blocks the ATO device from being used to log in, or prevent orders from that device.
When you look at any of the customer activities reviewed as ATO, whether it is an order/device/login, you will be able to know if this was the original activity reviewed or if it's a review via a linked device. You'll also be able to see this in the customer network as well.
Analysts should only use ATO reviews when they are certain ATO has happened, otherwise this could negatively impact the performance of the model. However, there’s always the chance that there could be a mistake or a reason for reversing the decision.
You can remove an ATO review by going to the order, device or login and select the option to "Undo review". Undoing an ATO review also removes the review on the device and any orders placed by the device.
Check out the account takeover insights page if you want to learn more, or to learn more about using the ATO review feature please get in touch!
Jessica Allen, Head of Content
Blog / Fraud Analytics
Fraud prevention is a delicate balance between stopping fraud and maintaining good customer experiences. But what is the most effective way to measure this outcome?
Ravelin Technology, Writer
Blog / Machine Learning
Online payment fraud is one of the biggest threats facing grocery merchants. And it’s only gotten worse. How are fraudsters using the cost of living crisis to take advantage of your business?
There’s a new fraud threat on the rise – and it’s your customers. First-party fraud is infamously tricky to catch and a huge revenue risk. How can you detect and deter criminal behavior in your customer base?
