Businesses are struggling to fight account takeover attacks; loss of money, reputation, customer loyalty, and potential risk of litigation all loom large. There are more ATO related threats than ever, many of which serve as segues to CNP and loyalty fraud. According to an identity fraud study from Javelin, account takeover losses reached $5.1 billion dollars in 2017. Furthermore, victims of account takeover paid an average of $290 out-of-pocket and spent an average of 15 hours resolving the issue.
Most businesses believe they have sufficient prevention methods in place to protect their customers from account takeover and other advanced fraud attacks. Yet these tools are outdated and cannot cope with the sophisticated tools being used to execute them, ultimately leaving gaps for fraud to go undetected. When it comes to account takeover, once a fraudster has their hands on a list of validated credentials, it is almost impossible to stop them.
The reality is that it is not possible to catch every single attack event, manual or automated, leading companies to yield to a certain amount of fraud losses. Growing investments are being made into developing tools to reduce this gap but adoption is slow. We are not going to explore these in this blog - what this space - we are going to explore account takeover attacks in more detail.
It’s An Easy Street for Fraudsters
While the above data is daunting, it no doubt highlights why fraudsters seem to be so motivated to execute this attack method, but that is not the only reason:
- Acquiring stolen data is easier than ever
- A menagerie of different tools & techniques are accessible to fraudsters in order to steal data such as malware, malicious apps, and social engineering
- It takes an average of 206 days for companies to identify a data breach
- ‘Anyone’ can be a fraudster
- Access to tutorials, tools and resources on the dark and grey web is easier than ever
- Automated tools, used for scaling attacks, are often given away for free: bots & emulators can be used for credential stuffing and monetization
- Fraudsters are no longer “lone wolves”
- Online communities offer support and expertise to others
- Account takeover attacks are approached like a business venture conducted by fraud rings
- It’s a much larger endeavor to stop an entire group versus shutting down a single person
- Proliferation of online commerce & digital channels
- Trusted accounts are easier to intercept than setting up brand new ones
- Payment details are often saved on accounts
- Users are known to re-use passwords across multiple accounts
Understanding the mechanics and different ways a fraudster might carry out an account takeover attack is crucial to understanding the bigger picture.
Account Takeover in Real Life
Thank You for Your Loyalty
The image below was posted on the dark web as evidence that user credentials stolen from an online travel company site were legitimate. The fraudster committed loyalty fraud by using the stolen points to book and use this room. The photo helps hike up the prices of the combo list and serves as a teaser to entice buyers.
Evidence of successful account takeover attack on a hotel booking site.
The Holiday She Deserved But Never Had
While the above example reveals to us fraudsters’ behavior, the following story tells a much more impactful and sad tale. Laura Ward was the victim of an account takeover attack that resulted in credit card fraud; her AirBnB account was hacked and her card was charged $1,181 for a stay in Malaysia that she never booked. What followed was a complicated series of events and conversations between Ward, her bank, Barclays, and AirBnB. During this 6-month long ordeal, Ward was also the victim of yet another attack and was locked out of her account. Despite her initial rejected chargeback request, Ward was able to finally get the money back after calling on the help of an IT professional and a consumer advocacy group. Undoubtedly, AirBnB will have lost her trust and most likely her loyalty.
An Illicit Marketplace for Digital Goods
In the screenshot below, one fraudster is selling multiple packs for different digital goods merchants: streaming services, gaming accounts, etc. The price per set depends on the quality of the user credentials and the subscription levels. This fraudster does not, however, show any evidence of the quality of the credentials. We have no way of knowing if these credentials were bought and used, the screenshot alone clearly illustrates that there is a demand in this market.
Rising to the Challenge of Account Takeover
It goes without saying that the eCommerce industry is rife with fraud. Based on conversations with colleagues and clients, ATO is definitely one of their biggest and growing concerns mainly because of how easy and scalable such attacks are, and consequently how big the negative impact is on revenue, reputation and resources.
As the number of ATO attacks is growing rapidly and consistently, it is clear that the popular fraud detection tools are not capable of taking on this onslaught of sophisticated techniques. There is a crucial need to rise to this challenge. Online businesses should focus efforts on examining their approach to fraud strategy to find a solution that not only can detect the growing sophisticated attack vectors but also stop fraudsters much earlier in the customer journey.