An eCommerce Showdown: Account Takeover VS Behavioral Biometrics

November 20, 2019

When it comes to eCommerce fraud, account takeover (ATO) is at the forefront of attacks. While retailers are aware of this threat, they are still unable to detect the attack until after the fact. As they scramble to find solutions, fraudsters continue to develop more sophisticated attack tools. 

The Fraud Epidemic

According to Javelin, fraud losses reached $14.7 billion last year, with 679,000 incidents of ATO coming from mobile specific ATO attacks. That doesn’t factor in loss of company reputation or customer privacy.

The build up to account takeover is fairly simple. Fraudsters obtain stolen validated user credentials and monetize them: they use payment details saved on the account to make purchases; sell or trade loyalty or rewards points; or change account details, like the shipping info. When faced with these attacks, companies are at risk of more than just fraud losses. Customer frustration and loss in brand loyalty can be even more costly in the long term.

In addition to ‘plain old hacking’ techniques fraudsters have increased their cold outreach tactics via email, text, and even snail mail in an attempt to lure unsuspecting victims. There are a variety of attack methods to choose from, and fraudsters are working together to pull off more, bigger scale attacks. As a result, something of a global fraudster ecosystem has come to life.


Fraudsters' ATO Toolkit

Fraudsters can choose between manual or automated attack methods to execute account takeover:


As detailed here, in order to complete an ATO attack, fraudsters need to get their hands on a list of validated user credentials. They will manually input the credentials, then proceed to the monetization stage of the attack. But this action can be easily automated, making manual attacks a rare instance. A fraudster may choose this type of method when beaching an extremely high value account, or a site with highly sophisticated security in order to boost his reputation in the community. 



Automated scripts, known as bots, are by far the largest threat. Not only can they run multiple application instances and mimic user behaviors, but they do this with harder-to-detect efficiency. Anything a fraudster can do manually, bots can do better and faster.


An emulator is a virtual simulation of a mobile device. It is software that runs a complete mobile environment on a computer and was originally developed for legitimate purposes. Gamers use them to play their mobile games on their desktop; app developers will use an emulator to test their native mobile apps without having to use mobile devices. 

Bots and emulators are generally used separately though they can also be used together, depending on the target, to make use of their collective advantages. Long story short, bots and emulators give fraudsters the ability to rapidly scale their attacks in ways that were not previously possible.

Emulators & Bots Working TogetherBots and emulators can be used separately or together to make use of their collective advantages


The Account Takeover Sweetspot

Online Retailers

The most obvious target for account takeover attacks is online retailers, which includes anything from apparel and accessories, to electronics, jewelry and luxury items and more. The reasons are simple: large and/or expensive purchases can be made from one or more stores, often at the click of a button. Or two. With the use of stolen user credentials, fraud teams are unlikely to be aware of the attack until a chargeback request has been made by the legitimate account holder. And by then it is too late, the good(s) have already been dispatched. 

Digital Goods

A digital good is a pretty new type of product or service "that exists in an intangible format as a file". It is especially vulnerable to fraud due to its streamlined payment process. Like moths to a flame, fraudsters have honed in on this industry to penetrate user accounts in order to resell or transfer eGift cards, eTickets, streaming service credentials and more.  There is sometimes the added bonus of saved payment details in these accounts. Netflix took note of this threat recently and implemented a tokenization technique to mitigate it.

Online Travel Agencies

Planning and booking vacations online is commonplace and, with the rise of loyalty programs, customers prefer to be repeat customers to generate points. What makes this target so attractive to fraudsters is that security hurdles are almost non-existent here. In the same way that fraudsters exploit retail and digital goods accounts, fraudsters can pay for services like flights or accommodation with just a couple of taps, or they can use, transfer or sell loyalty points, or both. 


Slideshare: Security hurdles are almost non-existent on online travel websites


Early Detection 

The ugly truth is that traditional fraud prevention solutions are reactive, rigid and siloed and therefore ill-equipped to handle the new age of advanced attack vectors. They result in false positives, late detection and undetected fraud which creates a ripple effect of consequences for your manual review team and the customer experience. 

With its foundations in machine learning, Behavioral Biometrics passively verifies good users first and adapts to new, unknown threats. By separating human from non-human behaviors it detects suspicious behaviors earlier in the customer journey,  stopping fraud before it happens. 

At the Login

The first stage of an ATO attack is credential stuffing at the login. Traditional tools will make use of device fingerprinting and/or blacklists to detect suspicious activities at this stage.  However, with these tools the likelier outcome is that the fraudster successfully completes this part of his attack before any indication of his attack is identified. In the unlikely case of a match, in other words a fraud alert, the account will be blocked, temporarily or permanently, and sent to the manual review team for investigation. Not only does this add to the workload of your workforce, it causes frustration for legitimate customers who are unable to access their accounts. Many companies have added a bot detection tool to their defenses, yet they are not able to keep up with the pace of the advancements fraudsters are making with these tools.

When approaching this challenge with Behavioral Biometrics it is quite straightforward. The combined behavioral pattern of copy-and-pasting usernames and passwords continually for an extended period of time is not human. It is not necessary to review a snapshot of the device, compare contextual data with blacklists, whitelists or other historical data: non-human behaviors = fraud alert. There is no need to inundate your team with reels of data or transactions to review or block your customers from accessing their accounts. 

During the Session

There a significant part of the digital user journey that is overlooked when creating a fraud strategy: the session. In the event that a fraudster manages to bypass identity verification it is smooth sailing all the way to transaction completion. If the transaction is denied or payment details are missing, there are many other tactics the fraudster can utilize to still make gains from this intrusion.

Behavioral Biometrics give visibility into suspicious behavioral patterns and raises red flags. Both manual and automated methods can be used to complete simple actions like changing account details or transferring points. When it comes to emulators in this context, an alert can be triggered when device attributes do not generate complete human interaction data. 

As stated above, Behavioral Biometrics is used to tackle account takeover before it happens. In the highly unlikely situation that a fraudster has managed to arrive at the payment stage, suspicious actions can be identified in a similar fashion to the above two stages. 


Behavioral Biometrics Technology Gets There First

Current fraud prevention tools are unable to meet the needs of online retailers’ because they are mostly firing at the checkout. That require a seamless solution with the ability to intercept fraud at the onset. Focusing fraud detection on only one front is just not enough anymore; if an attack is not stopped at the login, the fraudster is able to complete his transaction unencumbered and continue to move onto other accounts. 

 Behavioral Biometrics is much more in line with the rising challenges and needs - as this technology gets there first - by utilizing an individual's unique biological and behavioral traits as a form of identification. eCommerce retailers are now able to provide safe and secure online shopping experiences, reducing the risk of account takeovers, as well as friction.

Recent Posts

4 Reasons to Prioritize Mobile Fraud Prevention in 2021
Peak Season 2020: Account Takeover is Here to Stay and Other Takeaways
It's Time We Confront These Common Myths About Behavioral Biometrics
[Infographic] Breaking Down the Fraud Flow of Account Takeover
Emulator Fraud-as-a-Service: The Threat Landscape Continues to Evolve

Follow Us