When a fraudster gains access to a genuine account, this is known as account takeover (ATO), and it carries serious risks for online merchants. Ravelin's recent fraud survey revealed that more than two-thirds of merchants classify ATO as a top business threat. In fact, ATO attacks have increased against almost half of merchants, with up to 14% of merchants reporting a significant increase in ATO activity. Online merchants are being hit with multiple high-impact ATO attacks every month, with certain industries suffering at least one significant attack every week.

The widespread nature of ATO means hundreds or thousands of accounts could be impacted in a single attack. Obviously losing high volumes of accounts is bad for a merchant, but it’s also bad for the customer if they lose to their account profile they have built up over months or even years.

Genuine customers want to keep control of their accounts

After an account breach, genuine customers don’t want to have to start from scratch with a new account and lose all their previous order information, favourites or loyalty points. Plus, if this is the only option available, merchants are at risk of losing a loyal customer to a competitor with a smoother sign-up process, or potentially losing out by offering new sign-up discounts and bonuses to existing customers.

This is why we have developed a new way to identify reclaimed accounts in Ravelin. Using Ravelin's solution, you can now send us data to let us know that a customer account has been reclaimed. This will display on the customer profile and show the date of the reclaim.

When you have confirmed an attack has impacted a genuine customer, we recommend that you ask the customer to change their password immediately, or force a password reset on the account. We strongly recommend that you only enable account reclaims when you are 100% sure that the fraudster has lost access to the account.

Once the password has been changed and the account is fully secure, you can mark the account as reclaimed.

How reclaimed accounts work

When you mark an account as reclaimed, we will reset all the ATO data associated with the account, for example all the login-related data. This means that only the login activity which happens after the reclaim event will be stored from that point onwards. In other words, the ATO detection model will only use genuine customer activity to detect future possible ATO attacks.

However, we retain all the online payment fraud data, including activity that happened before the reclaim. This means that the model to detect payment fraud will still take into account the genuine customer activity from before the attack. This means you don’t lose the benefit of any data collected from the customer’s genuine orders and past behavior on your platform.

How reclaimed accounts impact network analysis

Our graph database, Connect, allows you to quickly spot fraudulent networks through visual representation of connections between customers, payment methods, addresses and more. Here’s an example of an ATO network…

In Connect, when an account is reclaimed we reset the network connections around the customer in question. We remove all connections with the account from before the reclaim date. However, these connections will be rebuilt after the reclaim if the customer re-uses a device, email or card. This means that a genuine customer will no longer appear to be in a fraudulent network once they have securely reclaimed their account.

Account reclaim information will also show in the network as below:

Read more about account takeover and dealing with it efficiently in our ATO insights page – and do get in touch if you would like to learn more about our ATO solutions.