Account Takeover: The Growing Face of eCommerce Fraud

Posted February 28, 2018

Account Takeover: The Growing Face of eCommerce Fraud

According to the Q4 2017 Cybercrime Report from ThreatMetrix, online retailers faced an unprecedented level of account takeover, bot and other types of attacks last quarter – a record 193 million attacks all told.

The report, which tracks actual cyberattacks detected and blocked within the ThreatMetrix Digital Identity Network, finds account takeover and other forms of eCommerce fraud surged 92 percent last quarter and 173 percent year-over-year.

Widely seen as a reliable proxy for global cybercrime trends, the report shows cybercriminal attacks against online retailers exceeded the entire volume of attacks against all other industries combined.

Key drivers of this trend are the continued adoption of EMV cards and a never-ending stream of corporate data breaches, such as the one that hit Equifax last spring, exposing identity credentials for more than 145 million Americans.

While these factors contributed to a year-end fraud-fest, the brunt from this and other recent data breaches is expected to hit even harder this year. They may also help explain increased interest in digital identity solutions that are able to detect and block fraudsters using stolen identity credentials.

According to online retailers that have deployed them, these same solutions may do more than just protect against eCommerce fraud.

eCommerce Ups its Game

All of this news comes as online retailing is enjoying a growth spurt of its own.

Last quarter’s record $138.4 billion in online holiday sales, for instance, reflects a 13 percent jump year-over-year, according to the National Retail Federation (NRF). Worldwide, retail eCommerce topped $2.29 trillion in 2017. That’s a 23-percent increase in just 12 months.

As consumers continue to shift from predominantly desktop transactions, their purchases are increasingly mobile and cross-border in nature, with more consumers saving credit card information at their favorite websites to make transactions faster and easier.

Many are even gravitating to new mobile wallet services to pay for physical goods on the go. In 2017, 1 million new accounts were added every month – and that’s just by companies tracked within the Digital Identity Network.

Indeed, retailer investments in mobile applications appear to be paying off, evolving from being an on-demand catalog to becoming a powerful way to engage customers and drive higher conversion, customer loyalty and lifetime value.

From the looks of things, fraudsters got the memo.

ATOs Hit an All-Time High

If there were any doubts about the impact from 2017’s record-breaking data breaches, they’re long gone by now.

According to Javelin Strategy & Research, 6.64 percent of U.S. consumers became victims of identity theft last year—nearly double the victims seen in 2016.

Now, there are concerns that things are going to get worse. Last week, reports surfaced that the Equifax attack was far more damaging than originally believed, revealing even the most granular identity details that can be used for ATO attacks. Unfortunately, Equifax is hardly alone. An estimated 8 billion personal identity files were stolen from businesses in 2017, and there’s a new breach virtually every day.

For fraudsters, all this fresh identity information and increased online and mobile purchasing behavior is a dream come true. According to ThreatMetrix data, thieves using stolen identity credentials to launch ATO attacks accounted for nearly 17 percent of all retail login attempts.

What’s more, the holiday season saw as many as 34 million automated bot attacks aimed at testing stolen login credentials, sometimes making up to 90 percent of all website traffic during peak shopping periods. In total, more than 800 million automated bot attacks were launched against online retailers during the quarter ending December 31.

It appears to have paid off. According to Javelin, U.S. losses from account takeover attacks topped $5.1 billion in 2017—a 120-percent increase in just one year.

Double Duty for Digital Identity

To defend themselves against account takeover attacks, a growing number of online retailers are turning to cognitive, digital identity-based user verification and assessment solutions that can detect high-risk or anomalous login attempts—even when a fraudster is entering valid credentials.

According to retailers that have deployed them, these same technologies could also give them an edge over competitors by enabling them to accelerate transactions for trusted customers without initiating unnecessary step-ups.

They’d better hope they’re onto something. This year, an estimated $1.6 trillion will change hands as consumers ditch online retailers that are unable to deliver the speed, ease and convenience they demand—and flock to those that can.

That’s going to make this a critical year in the fight against account takeover attacks.

To learn more about trends in account takeover, eCommerce fraud and how digital identity solutions can help online retailers achieve secure, sustainable growth, download our Q4 2017 Cybercrime Report.

Alisdair Faulkner

Alisdair Faulkner

Chief Identity Officer, Business Services, LexisNexis Risk Solutions

close btn