October is National Cyber Security Awareness Month. Throughout the entire month, we will feature topics on our blog covering a variety of security concerns. In this next post, we will look at ways to detect and prevent Account Takeover Fraud.
As more businesses move their operations online, customers are increasingly required to log in with their usernames and passwords to do everything from browsing to shopping to managing their accounts.
Today, this trend is creating a new problem for the payment industry — namely, account takeover (ATO) fraud.
If criminals ever get hold of a customer’s username and password, they can use that hacked account to glean a lot of that user’s information. That’s because many customers use variations of the same login credentials across a broad range of websites.
Thus, a savvy thief can eventually reverse-engineer:
- Credit card details from Account A.
- Social Security numbers from Account B.
- Billing addresses from account C.
This is in sharp contrast to traditional credit card abuse in which criminals get away with making a few fraudulent charges. With ATO fraud, the potential damage is unlimited.
According to Patrick Reemts of security firm, ID Analytics, “If you steal a credit card, you’ve stolen one relationship.” He adds that, “With account takeover, you have the potential to access several relationships they have … The payoff is typically greater.”
What’s more, whereas credit cards often come with varying levels of liability protection, the same isn’t true when criminals have unrestricted access to bank accounts, retirement savings and other financial assets.
What’s truly alarming is how hard it is to detect and reverse account takeover fraud.
The Long-Term Impact of Account Takeover Fraud
With a hacked credit card, the problem is usually discovered in a few days. Thereafter, it’s just a matter of canceling that card and (hopefully) getting the charges reversed.
However, with a breached user account or stolen identity, the problem can go undetected for weeks — sometimes months. In fact, many criminals change the email address attached to the hacked account so that victims never receive notifications or alerts from the original merchant.
Once a breach is discovered, however, there are still a lot more headaches to come.
As the customer, be prepared to spend countless hours:
- Calling banks and credit card companies to reverse the damages.
- Changing login credentials for each and every site you visit.
- Applying for new Social Security numbers, credit cards, driver’s licenses, etc.
- Speaking with lawyers, regulators and law enforcement officials.
As a merchant, you have to deal with all of the above, as well. Plus, even if you weren’t at all responsible for the breach, you may face potential fees, litigation and irreversible damage to your company’s reputation.
This problem will only get worse as more brick-and-mortar retailers migrate to Europay, Mastercard and Visa (EMV) credit cards. Thanks to their advanced security features, these chip-enabled cards are driving criminals into the online world where the risks are smaller and the payoffs are higher.
Against this backdrop, what steps can you take to protect your business and customers from account takeover fraud?
The answer lies in detection and prevention.
Step 1: How to Detect ATO Fraud
On the merchant side, account hacking is very difficult to detect. Most breaches happen on a case-by-case basis, meaning you’d have to actively monitor every single user account in your system.
To make matters worse, criminals use a broad range of tactics to gain access to usernames and passwords. Some of the more popular scams include viruses, — almost all of which happen on the customer’s side.
However, there are proven strategies for catching the abuse before it negatively impacts your business. For example, many criminals use fake emails to redirect unsuspecting customers to “dummy” sites that are branded to look like your online store:
- You can use Google Alerts to monitor your online presence. You’ll receive an automatic notification whenever Google indexes a site that mentions your company’s name — including dummy sites pretending to be you.
- You can also add your email address to your company’s newsletter. If a criminal posing as you ever sends a fake email blast, you’ll receive the fraudulent message and can respond accordingly.
Another common strategy is to use fraud management filters to detect abuse:
- With velocity filters, for example, you can automatically flag suspicious purchases made in rapid succession.
- With threshold filters, you can set minimums and maximums for legitimate purchases. If all the products you sell are over $10, for example, this type of filter would automatically flag a purchase made for $8.50.
However, detection can only take you so far. If you really want to reduce the frequency and severity of account takeover fraud, you need to invest in prevention.
Step 2: How to Prevent ATO Fraud
Because account hacking is mostly a customer-side problem, the first step involves training your users to protect themselves by:
- Creating unique usernames and alphanumeric passwords for every site.
- Using password management tools such as LastPass and KeePass to keep track of all these unique credentials.
- Installing updates, patches and virus protection on all computers and mobile devices.
- Using two-factor authentication instead of just relying on traditional passwords.
Finally, you must train your customers to never respond directly to any emails you send — especially those that ask for sensitive details. Instead, users should go directly to your company’s website to manage their accounts.
Unfortunately, not all customers will be as proactive as you’d like them to be. It’s up to you to fill the gaps by:
- Investing in PCI-compliant data security to safeguard sensitive information.
- Keeping your own IT infrastructure up to date with virus protection, patches and the latest versions of any software you currently use.
- Requiring longer passwords, complete with symbols, upper/lowercase letters and numbers.
- Requiring frequent and mandatory password changes for all users. You might also consider making it impossible for customers to use previously created passwords and variations.
- Requiring more verification steps — especially for online purchases. In addition to credit cards and expiration dates, you should require billing addresses and CVV codes.
A Final Warning about ATO Fraud and Account Hacking
No single fraud prevention strategy can keep you and your customers fully protected, 100 percent of the time. In the Internet age, there are simply too many weaknesses and vulnerabilities — most of which are beyond your control.
However, by combining the above strategies, you can make your business less inviting to potential thieves — and thus — more inviting to potential customers.