What makes account takeover prevention so challenging? Why are account takeovers more difficult for organizations to spot and mitigate compared to other types of fraud, such as payment fraud?
The answer is nuanced and is never the result of just a single factor. Account takeover fraud can leave a longstanding negative impact and quickly erode the trust that has developed between a company and their customers. Beyond negatively impacting a company’s bottom line, account takeovers could diminish customer loyalty, and even result in lost customers.
With so many external factors outside of an organization’s control, it can be challenging to even know where to start when it comes to account takeover prevention. Here are 5 watch outs to be mindful of when it comes to mitigating account takeover fraud:
Compromised Usernames and Passwords
A string of data breaches has compromised millions of username/password combinations that criminals can use to try to gain unauthorized access to users’ accounts. The situation is compounded by consumers often reusing the same credentials across multiple accounts, therefore a breach at one organization can have wide applicability across a number of organizations. The compromised lists of credentials are often readily available on the dark web, at a low cost. Using free, automated software, fraudsters can churn through hundreds of credentials per second and quickly determine which are valid and can be monetized. At that point, they may attempt to further resell these “validated” credentials or exploit them to make unauthorized purchases, withdraw funds, steal loyalty points, or commit other malicious attacks against the account.
Hide in the Noise
In the wake of COVID-19 account takeover prevention is more important than ever. eCommerce traffic has risen sharply as more and more consumers are transacting online for goods and services previously done in-person. As a result, traffic and volumes are up on a year over year basis and it has provided an avenue for fraudsters to hide in plain sight. By performing some simple research on the account and the organization, fraudsters can employ tactics like utilizing a proxy or virtual private network to mimic the legitimate user’s geographic location and conduct attacks during the organization’s peak activity – both actions making it more difficult to detect.
Providing a Great User Experience
“User experience” (UX) has become a catchphrase across marketing departments in every industry. UX entails making every aspect of a customer’s interaction with an organization a pleasant one – from creating an account, browsing and purchasing, facilitating a return, or engaging with customer service. Introducing unwanted friction into the process, including picking out certain images to verify you are not a robot or repeatedly being prompted to answer security challenge questions may result in customer abandonment and frustration.
Actions May Not Seem Suspicious
With unauthorized access to an existing account, an account takeover instantly benefits from the customer’s credibility and goodwill – their purchase history, loyalty status, and tenure as a customer. With this in mind, a fraudster could make similar purchases, update profile information on the account like email, phone numbers, or delivery addresses without rousing much suspicion.
Account takeover prevention can span across many different teams, such as security, fraud prevention, ecommerce, and customer experience, requiring constant coordination rather than independent silos. Even when threats are recognized, the changes may be slowly implemented in the absence of a unified platform. We know fraudsters are tapping into their network to share information and best practices, so we must do the same and determine ownership in order to take charge of fraud prevention.
Account takeover fraud is complex and difficult to unravel, as evidenced by these nuances. While many organizations may utilize a number of solutions to help prevent these attacks, juggling multiple vendors can present a fragmented risk picture and introduce unwelcome friction for your customers. Accertify can help. Our Digital Identity solution is built on 5 pillars of information – Device, Connection, Location, Behavior and History. By looking at these five points we can help answer the following key questions:
- What is the user’s device?
- How is the user connecting to your site?
- What is the user’s location?
- How is the user interacting with your site?
- What is the user’s history?
Our Digital Identity solution analyzes billions of data points using machine learning, advanced behavioral analytics and device intelligence technology empowering organizations to verify trusted customers from fraudsters.
Request a consultation to learn how Accertify can make it simpler to protect your organization.