---
title: How to limit the impact of account takeover
date: 2020-10-14T11:04:00+01:00
author: Jessica Allen
canonical_url: "https://www.ravelin.com/blog/how-to-limit-the-impact-of-account-takeover"
section: Blog
---
Blog /[Account takeover](/resources?search=&category%5B0%5D=134546#resourceContainer "Go to Account takeover"), [Fraud analytics](/resources?search=&category%5B0%5D=134547#resourceContainer "Go to Fraud analytics")

# How to limit the impact of account takeover

Fraudsters rarely target just one customer in an account takeover, and can often compromise hundreds of accounts at once. Here’s how we developed a way to quickly stop the spread of an attack and limit the number of customers affected.

![How to limit the impact of account takeover](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/_blogSmall/91124/Screenshot-2020-10-08-at-12.11.58.webp)

When a fraudster gains control of an account that belongs to a genuine customer this is known as an account takeover (ATO). [Once they’re inside](https://www.ravelin.com/blog/what-do-fraudsters-do-after-they-take-over-an-account), fraudsters can make unauthorised transactions, sell the compromised accounts online and/or scrape personal information out of the account which can be sold. Often, an attacker will have a lost list of customer logins and use [credential stuffing techniques](https://www.ravelin.com/blog/how-do-fraudsters-take-over-accounts) to compromise many accounts at once, putting a large proportion of customers at risk.

## Why ATO fraud is more challenging to recognise

With typical online payment fraud, a fraudster creates an account and uses stolen card details to make fraudulent orders. There are [many subtle signals](https://www.ravelin.com/insights/online-payment-fraud) which a machine learning model or rules engine can use to identify them as a fraudster. However, with ATO, the account is initially genuine, and so the account activity often doesn’t cause alarm bells until the point that fraud occurs.

At this point, the customer may get in touch to tell the merchant that their account has been hacked. Or, as the merchant you might recognise the signs of an ATO incident like a huge spike in logins, or multiple accounts being logged into from a single device which has never been used before.

## Blocking compromised accounts doesn’t solve the problem

Once you know an account has been compromised, you can block it and stop further orders. But this doesn’t solve the whole problem. What about the multiple other accounts which the fraudster was able to gain entry to? What if they commit another ATO and gain access to even more accounts?

And what about the individual victims - your customers - do you block their account from making future orders indefinitely? If you do, you could lose them for life.

The huge scale of ATO attacks means this approach is simply not sustainable, but you do need to do *something* to stop attacks. This dilemma was causing problems for a number of merchants, and so we developed a new solution.

## Introducing Account Takeover reviews

Our solution was to create a way for Analysts to perform Account Takeover reviews. This is similar to the process of manually reviewing an account as fraud, but with a key difference. ATO reviews are based on specific customer activity, not the customer account itself.

You can now review customer activity as account takeover, these activities can be logins, orders, or devices used on the account.

## Reviewing activity as Account Takeover in Ravelin

When you do an ATO review in Ravelin, you’ll see:

- The login, order or device selected to review
- the device associated with the order
- any other orders placed using that device on that customer account

## Order reviewed as Account Takeover

![Account takeover review](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/Screenshot-2020-10-08-at-12.13.22.png)  
If you review an order or login, Ravelin will identify the device associated with that activity and place an ATO label on that device.

It’s important that we are certain that we have the right device ID. The industry-standard practice is to capture a device fingerprint and transform/enhance it into a device ID. This means that devices with similar characteristics can be misidentified as being the same device.This can cause genuine customers to be blocked and increases the false positive rate.

Instead, our approach is to generate a device ID first and then associate the data collected for that device with the device ID. This means there is no way for two different devices to end up with the same ID. There, it’s safe and effective to label devices with ATO.

## Preventing account takeover on other customer accounts

Now the device is labelled as ATO, all other future orders made by that device will be reviewed as ATO, even if they are made from another customer account. This allows you to create rules that limit the spread of ATO from a single device and limits the costs to your business and impact on customers.For example, you can create a rule that blocks the ATO device from being used to log in, or prevent orders from that device.

When you look at any of the customer activities reviewed as ATO, whether it is an order/device/login, you will be able to know if this was the original activity reviewed or if it's a review via a linked device. You'll also be able to see this in the customer network as well.

![](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/Screenshot-2020-10-08-at-12.11.58.jpg)##   
Undoing an Account Takeover review

Analysts should only use ATO reviews when they are certain ATO has happened, otherwise this could negatively impact the performance of the model. However, there’s always the chance that there could be a mistake or a reason for reversing the decision.

You can remove an ATO review by going to the order, device or login and select the option to "Undo review". Undoing an ATO review also removes the review on the device and any orders placed by the device.

Check out the [account takeover insights page](https://www.ravelin.com/insights/account-takeover-fraud) if you want to learn more, or to learn more about using the ATO review feature please get in touch!

## Author

![Jessica Allen](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/_avatarSmall/3491/Screen-Shot-2019-08-13-at-16.12.52.webp)

Jessica AllenHead of Content (Ravelin alumna)

Jessica previously served as Head of Content at Ravelin.

[More from this author](https://www.ravelin.com/author/jessica-allen)

## Related content

[Blog / Press release

### Driven by AI, customers now rival criminals for ecommerce fraud, say merchants

Global ecommerce fraud enters a new phase as losses continue to climb. Merchants now view criminals and their own customers as presenting a comparable risk, and there's a gap in AI adoption.

![Ravelin Symbol Blue 1](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/_33x33_crop_center-center_none_ns/187712/Ravelin-Symbol-Blue-1.webp)Ravelin Technology](https://www.ravelin.com/blog/ravelin-fraud-survey-2026-press-release)

[Blog / Payments &amp; payment fraud

### Safeguarding agentic commerce – fraud strategy advice by Ravelin's CPO

"If there’s anything fraudsters like, it’s a new thing." Here's how to protect your online shop from agentic commerce fraud – which can target you no matter whether you're actively adopting AI shopping or not.

![RAVELIN STAFF Mark Barlow Head Of product website](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/_33x33_crop_center-center_none_ns/175066/RAVELIN_STAFF_Mark_Barlow_Head_Of_product_website.webp)Mark Barlow,Chief Product Officer](https://www.ravelin.com/blog/agentic-commerce-fraud-prevention-strategy-analysis)

[Blog / Ravelin product

### Next-level reporting with Ravelin: Introducing Insights and AI-powered queries

Discover how the new Insights section and AI-powered queries in the Ravelin Dashboard simplify your fraud reporting.

![Ashleigh](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/_33x33_crop_center-center_none_ns/267519/ashleigh.webp)Ashleigh Luccini Gilera,Senior Product Marketing Manager](https://www.ravelin.com/blog/fraud-reporting-insights-ai-queries)
