Solutions overview
Harness the power of your data to reduce fraud and increase payment acceptance
Tailor-made fraud protection
Detect and stop fraud faster with clear insights
Adaptive solutions for emerging threats
Defend against ATO, promo abuse and seller fraud
Optimize conversion with agnostic authentication
Manage PSD2 and take control of authentication
Online payment fraud
Understand chargebacks, fees & detection
Machine learning for fraud detection
Models, risk scores & thresholds
Link analysis & graph networks
Draw deeper insights from data
Account takeover fraud
Prevention strategies & reputational risk
Policy abuse
Uncover & stop hidden costs
PSD2 & SCA
3D Secure, TRA & exemptions
Global payment regulation map 2022
Track PSD2 & more with a full report
Resource Zone
Deep dives on fraud & payments topics
Blog
The latest fraud & payments updates
API & developer docs
APIs, glossary, guides, libraries and SDKs
About Ravelin
Discover the story about Ravelin
Careers
Join our dynamic team
Customers
Read more about our happy customers
Partners
Join our partner programme
Uncover & stop hidden abuse
Resource zone
Read more about our happy custmomers
Blog / Account Takeover
The pandemic created the perfect storm for the food delivery industry to thrive. But increased activity has drawn in greedy fraudsters and account takeover attacks have skyrocketed. Find out why your customers’ food delivery accounts are particularly tempting…
A lot has changed since the first online ordering and delivering service was launched in 1994. Now the global food delivery industry is worth over $150 billion. And this is expected to rise above $200 billion by 2027. Lockdown, demand for convenience, technology, and the convergence of the on-demand and sharing economies have boosted the food delivery ecosystem. But this rise in traffic has made it a tasty target for online fraudsters.
Almost 60% of food delivery merchants say that account takeover is one of their top fraud risks. And around 70% have seen an increase in attacks in the past year. Unfortunately, this surge isn’t too surprising. At the start of the pandemic darknet mentions of major food delivery apps increased 230%. And fraudsters don’t seem to have had their fill.
It seems unlikely that attacks on food delivery businesses will slow down. In fact, many argue that the problem will get worse before it gets better. But why are your customer accounts so susceptible to account takeover?
Demand for a more frictionless customer journey means that food delivery app users usually face fewer security hurdles. The worry is that too many steps could discourage legitimate customers from placing orders. This combined with the fast-paced nature of the industry makes food delivery accounts a satisfying treat for fraudsters. Once in, they have access to card information, addresses and any loyalty points the customer might have. So it can often be quite the payout!
Greedy fraudsters also know that they can exploit relaxed security to commit refund abuse. One of the easiest ways to commit refund fraud is by taking over an established customer account with a high reputation. This is because companies want to provide trusted customers with the smoothest experience possible. Fraudsters can request refunds on dispatched items with little trouble and make use of the money credited to the account.
As part of PSD2, European merchants must enforce Strong Customer Authentication (SCA), or multi-factor authentication. This has made some types of fraud more difficult, but fraudsters are always quick to sniff out new opportunities.
There are exemptions to SCA that you can use to support a more frictionless customer experience. These exemptions reduce the number of times you need to authenticate a customer. For on-demand businesses, where speed is a critical part of your model, these exemptions are incredibly valuable. But fraudsters are just as knowledgeable about new regulations as merchants are – if not more.
Fraudsters are very aware of which transactions are less likely to have SCA applied. It would make sense that food delivery merchants try to make the most of Transaction Risk Analysis (TRA), Low Value Payments, or Trusted Beneficiaries exemptions. But what are these exemptions and how might fraudsters exploit them?
The TRA exemption applies to all transactions deemed low risk, based on a TRA assessment. Where this isn’t possible, you can apply a low value exemption on any transaction below €30. With trusted beneficiaries, customers are able to “safelist” certain merchants.
By taking over the account of a legitimate trusted customer, fraudsters could potentially benefit from their clean record. So long as the transaction doesn’t look drastically out of the ordinary. If that doesn’t work, food delivery transactions are often low value. So fraudsters can get away with up to five transactions before authentication is required. Or they can take the chance that hungry customers will safelist their favorite food delivery apps.
Accounts with a free pass on authentication are a big draw for fraudsters. As merchants develop SCA exemption strategies, we might see a surge in account takeover attacks.
Studies have found call centers to be a weak spot of choice for account takeover attacks. And PSD2 regulations are sure to make them even more inviting. With higher barriers to entry, fraudsters are likely to turn to tried and true tactics – namely, exploiting human error. In the case of food delivery merchants, this is likely to be customer support services.
Customer support often uses knowledge-based authentication to grant access to customer accounts. By using social engineering techniques to target call center agents, fraudsters are able to completely bypass technology solutions to get access to customer accounts.
As we’ve already seen, there are lots of shady actors with information to sell. From there, it doesn't take much for an enterprising fraudster to manipulate an agent into helping change a password or email address on a food delivery account.
Our research has shown that food delivery merchants are most likely to track password and email changes. While these activities can be big red flags, we have found that attackers are more likely to change the phone number than the email address. Around 10% of attackers changed the email address, while 48% changed the phone number. In around 15% of attacks, the phone number on the account was changed twice or more. But, only 52% of merchants say they track phone number changes.
In general, the percentage of food delivery merchants that report tracking user activity across the board is worryingly low. Password changes were the most tracked activity and this was only at 60%. With account takeover on the rise, making a concerted effort to monitor these factors could make a huge difference. That said, 80% of food delivery merchants say they have a specific account takeover tool. But is this alone enough?
The pandemic may have supersized the food delivery industry, but many businesses in this space have remained unprofitable. For food delivery merchants, the leading risk factors when it comes to account takeover are revenue loss and the fines associated with data theft. UK and EU GDPR and Data Protection Act fines can reach £17.5 million and €20 million respectively, or 4% of annual global turnover. So the financial threat that account takeover poses to food delivery businesses cannot be overstated.
What’s more, account takeover can very quickly turn your relationship with customers sour. An attack can destroy your business’ reputation, particularly if victims complain publicly. With multiple high-profile players competing in the food delivery market, headlines about delivery accounts being hacked are deadly.
Fraudsters are smart and adapt quickly, so you need to be on the ball. PSD2 will protect your business from many types of fraud. But it could also leave you vulnerable to new creative fraud types if you get too complacent. Small changes like implementing a breached credential database, expanding your user activity monitoring and training your customer service staff could make a world of difference. Find out more about how you can protect your customer accounts.
Lola Omo-Ikerodah Content Writer
6 min read
More from Lola Omo-Ikerodah
Share this article:
Blog / News
Buy now, pay later is exploding - what risks could this bring your business? We speak with Nelda Biltauere, Fraud Researcher at Ravelin, about BNPL challenges, costs & strategy.
Grace Proctor, Content Writer
From blocker to revenue enabler, businesses are seeing their fraud teams with new eyes. What has brought about this change? And how can you build on it?
Lola Omo-Ikerodah, Content Writer
Disputes and chargebacks are often viewed as a “necessary evil” in ecommerce. But the pandemic has made them a serious threat to business and revenue. How are you fighting back?