Account takeover fraud

Account takeover, also known as account compromise, happens when a fraudster gets access to a genuine customer’s account. Any online account could be taken over by fraudsters, including ecommerce accounts, subscriptions, banks, credit cards, emails and so on. In this guide, we’ll focus on account takeover for online merchants.

What a typical account takeover looks like

Once a fraudster has compromised an account, what can they do with it? There are a range of options available:

• Make fraudulent orders using saved or stolen card details
• Use loyalty points or account credits
• Sell the confirmed account
• Extract the customer data to sell

To learn more about how fraudsters monetize compromised accounts, we analysed data from ATO attacks against food delivery businesses.

Here’s what we found:

71% of ATO attacks resulted in the attacker placing an order

We found that for food delivery ATO attacks, the primary method for monetizing the account was to place an order. This is likely to be heavily influenced by the type of business we are analysing; food delivery is likely to appeal to a certain type of attacker, like the Hungry Fraudster.

We found that when an attacker does place an order, they make 3 to 4 orders on average, with around a 50% success rate. Of the 29% of attacks which didn’t result in an order, this could be because something stopped them, such as the customer spotted a change on their account and contacted the merchant. It’s also possible that the attacker may have monetized the account in another way, such as resale or extraction of customer data to be sold online.

46% of attacks included orders placed to a city/region different from the customer’s previous order

For food delivery businesses, speed of delivery is super important and it’s not unusual for customers to order deliveries to different addresses. Although changing delivery addresses can be an indication of ATO, it’s also common for genuine customers to order food to a new delivery address. This shows how challenging it can be to differentiate ATO activity from normal customer behavior, and why analyzing a combination of indicating factors is key.

10% of attackers changed the email address, while 48% changed the phone number

Our analysis showed that attackers were more likely to change the phone number on the compromised account than the email address. This may be because food delivery services often send an SMS text message to the customer to alert them that an order has been received or is on the way. The fraudster changing the phone number would stop the genuine customer getting this alert and contacting the merchant to cancel the order.

It’s also common for delivery drivers to use the account phone number to get in touch with the customer when they are attempting delivery. Fraudsters don’t always use their true address, to avoid it being blacklisted by a merchant - therefore they may contact the driver to arrange the drop off somewhere else.

Additionally, this could also be due to the widespread use of SMS one-time passwords for authentication. If the use of a new address or unusual activity triggers an authentication request, the fraudster would be able to falsely authenticate with their own phone number without alerting the customer or the merchant.

In around 15% of attacks the phone number on the account was changed twice or more - suggesting that fraudsters may use temporary phone numbers.

Financial cost, business reputation and customer loyalty implications

Account takeover is a significant threat to online businesses. So far, it’s not as common and the cost is not as high as for chargeback fraud (yet). But there are other costs involved with account takeover: an incident can shred business reputation when victims complain publicly, and if managed badly it can put a huge dent in customer loyalty and retention.

Increasingly common style of attack

The cost of account takeover fraud tripled to $5.1 billion in the United States in 2018. The year before that in 2017, PYMNTS.com reported a 45 percent increase in account takeover.

One reason why this type of fraud is increasing is because merchants have gotten much better at detecting typical card-not-present fraud, and fraud solutions have come a long way.

Easy to implement and very hard to detect

Account takeover is particularly risky because it’s simple and low-effort to implement - we’ll explain how fraudsters do this attack below.

Coupled with this, it can be very difficult to detect, as the attacker has access to a genuine customer’s history which looks normal. Online businesses tend to encourage and trust repeat customers, which means a takeover can easily go undetected.

To understand why this can be so easy for fraudsters, it’s important to understand trends around data breaches and password reuse.

Data breaches involving login details can then be used to target other online services because there is a good chance that if someone does have an account elsewhere, they’ve used the same password.

There are a few different ways fraudsters can get into an account, with different levels of effort and time required. Malware or phishing are the most targeted and sophisticated methods. These both require a lot of effort, so they are more common in takeovers of bank accounts or corporate accounts with a much higher potential payoff.

Fraudsters can buy credentials in bulk on the dark web for relatively low cost. Once they have a set of logins to try against ecommerce businesses, they are more likely to use credential stuffing to find out if any of these logins work. So how does it work?

Credential stuffing

Credential stuffing is suitable for use against online merchants because it’s a low-cost and low-effort attack style and far easier to do at a larger scale for a smaller payout across multiple victim accounts. In this process, the fraudster uses an automated tool or script to perform login requests using the stolen credentials to gain access to user accounts. This can be done extremely quickly - with hundreds or thousands of logins a minute.

The tool basically takes username and password combinations and runs them against a login page. This is a bit like having thousands of keys in a bag and trying all of them on the front door of a house. With credential stuffing, you are much more likely to have the right ‘key’ because of password reuse.

Consequences for customers

Often the customer is the first person to realise an account takeover has happened. They may notice charges on their card or get a notification from the merchant for an order they didn’t make.

The customer may have to call around to the merchant and their bank to connect the dots and prove that their account has been compromised. An attack costs victims an average of $290 and 15 hours to resolve - this often adds up to a very unhappy, stressed customer.

Consequences for merchants

Understandably, customers don’t like their accounts being hacked. What makes it even worse, is when businesses don’t respond quickly or fail to manage the problem effectively in their customers’ eyes.

Playstation

Brad Bourque’s Playstation account was hacked while he was sleeping, his account details were changed and a new device was added. When he finally got through to Sony to get a refund for the charges on his account they told him he had to pay the charges or his account would be frozen. It was only after he published his story that he managed to get the money back. There are also multiple customers reporting account takeovers on Twitter.

Chipotle

A stream of customers of US fast-food giant Chipotle reported their accounts being hacked, taking to Twitter and Reddit to complain. Many customers were unable to get a refund and were angry with Chipotle for allowing orders in states a significant distance from them and not verifying the person picking up the order.

Genuine customers have a good spending history

Once the fraudster is inside, they can hide behind the genuine customer’s positive history and trust they have built up with the seller, which makes it more difficult to detect fraudy behavior. Therefore, the best point to detect account takeover is at login - so fraudsters take steps to make their logins look as genuine as possible.

Fraudsters mimic normal login behavior

Fraudsters use proxies or botnets to make it look like the login attempts are coming from a variety of sources instead of a single attacker. They can choose popular login times to mimic normal traffic - such as targeting mealtimes to login to a food delivery service. Automated tools are available to allow fraudsters to get around things like CAPTCHA challenges.

Fraudsters are always sharing knowledge

There are countless youtube videos available explaining how to do an account takeover. There are also active cracking forums where fraudsters offer advice, tooling and combo files of credentials and share tips on how to make credential stuffing more profitable.

Business responses to the threat

Despite the alarming rise in account takeover, many companies aren't putting in the protocols, time, or technology necessary to manage the problem. What’s behind this?

No clear owner for the account takeover problem

One reason for this is because for many businesses, account takeover is a relatively new fraud problem. It doesn’t have one clear owner - it affects many different teams. An account takeover looks very different from typical card-not-present fraud. A single attack affects hundreds of different genuine customer accounts at the same time. By the time the Payments team notices a chargeback relating to an account takeover, often the damage has already been done across multiple other accounts.

Different priorities around logging in and ease of use

This means it’s important for not only the Fraud and Payments teams, but also Security/Risk, Product and Marketing departments to tackle the issue. Defining the right way to deal with account takeover is complicated by the goals and priorities of each; for example, the Marketing department may prioritize ease of ordering over repeating authentication checks when a customer logs in using a new device.

Because of these factors, we often hear from merchants who say it’s a challenge to get business leaders to recognize the risk of account takeover and allocate budget to the problem. But many businesses struggle to react quickly if they don’t have specific protection in place for this style of attack - so how can you raise the issue within your business?

Make sure everyone understands the real costs of account takeover

It’s great that protection against typical online card fraud has advanced, but now the fraudsters are switching to new sophisticated tactics. Use statistics to highlight how much the risk is increasing - attacks tripled between 2016-2017 and mobile account takeover attacks increased again in 2018.

But the cost of account takeover is not limited to chargebacks - they are just the tip of the iceberg. Under GDPR and other privacy laws, fines relating to customer data can be in the millions.

Investigate the real impact of account takeover on your business

Talking about general statistics will only go so far - to get buy-in you need to relate to your own business. Look into instances of account takeover in your business. Find specific cases of customer complaints about their accounts being impacted on social media, investigate how this affected a real customer, listen to calls or read email complaints. Look into how long it took to resolve the issue across different teams and how the time impacted your response.

Don’t underestimate the cost of reputational damage

When multiple customers are the victim of an account takeover, customers often believe the merchant is insecure, regardless of whether they were the source of the data breach or not. News of a hack spreads fast on social media, and this reputational damage can cause you to lose new/repeat business and lead to customers closing their accounts entirely.

In today’s world, customers are increasingly focused on their privacy and security. It’s no surprise that 90% of companies say business security is a competitive differentiator and can help win new customers.

Form a united taskforce and relate the problem to each team’s priorities

As well as including different departments in the conversation, you also need to speak in their language. Speak about the aspects of account takeover that matter to them. Find out how to relate the problem to each department in this article on how to get buy-in for an account takeover solution.

So, the same thing that makes account takeover so successful is also what makes it so hard to detect. A fraudster poses as a real customer with a healthy purchasing history and no indicators of fraud - making it more difficult for systems to spot abnormal behavior and prevent the attack.

So how can you stay on top of the growing threat? Here are six things to look out for to protect your customer accounts and prevent losses.

As we know, account takeover looks different to typical online payment fraud. Login rates, devices and customer credentials are important things to watch. Here are some of the ways you can prevent or contain an attack.

Set rate limits on login

Setting rate limits on logins around device, username and IP address can specifically target account takeover. You can set thresholds for this depending on your specific operational requirements and how your customers usually behave. You can also incorporate limits on other account takeover signals such as the use of proxies.

Cross reference login data with existing data

In your customer analytics, make sure you’re taking into account the specific login data for device, browser, IP address etc. Cross reference this with normal customer identity and behavior data and other information such as orders, payment methods, transactions and locations. This will make it easier to spot anomalies across your customer base.

Check for breached credentials

Using a breached credentials database, you can quickly check if a new user has signed up with known breached credentials or if an existing users’ details have been breached. This means you can prevent new users signing up with dodgy details, or proactively alert users when they have been compromised and recommend they reset their password.

Verify a user’s identity when they make a change

During account takeover, the fraudster often makes a change to the account eg. adding or changing payment methods, contact details or passwords. Of course, genuine users can do this too, so whenever this happens, send a challenge to authenticate it’s really the user wherever possible. You can do this by enabling two-factor authentication for your users.

Send users notifications of account changes

When a user does make a change, even if you have challenged the user to verify it’s them, you should still send them a notification of the change they made. This will ensure that even if the fraudster was able to sidestep the authentication, you can still alert the user about what’s happened. Here are some examples of how this looks...

Create an account recovery process

If you alert a customer that a change has been made on their account and they confirm it wasn’t them, you need to have a process in place to keep their account safe. Draw up the possibilities of how you can recover the account for your genuine customer - for example:

• Place a temporary freeze on the account to prevent the fraudster from making purchases
• If the fraudster has changed their password, force a password reset with a new, temporary and unique password

Make sure you have consistent messaging

Customers can rightly feel angry, confused and invaded when their personal details are at stake. There’s a chance that they could blame you as the merchant even when it’s not your fault. This means it’s important to be consistent in your messaging around the issue and make sure you use terms which don’t make the customer feel they will have lost access to their account and their personal data. Some examples could be ‘freezing’ or ‘securing’ an account, instead of ‘blocking’.

We know account takeover is incredibly hard to detect quickly because the fraudster can hide behind a user’s normal history and good trust built up with the merchant. Machine learning is adept at spotting lots of tiny signals and combining these to point to a bigger picture.

Machine learning is also incredibly quick to spot these anomalies when compared to rules-based systems, meaning you can respond to an attack as it happens, rather than when it’s too late.