Account Takeover Prevention: Turning the Tide on Surging ATOs

Posted June 13, 2019

Account Takeover Prevention: Turning the Tide on Surging ATOs

Account takeovers (ATOs) are on the rise as cyberthieves continue to advance their approaches to eCommerce fraud through the use of automated bots. As data captured in our latest Cybercrime Report suggests, the footprint of automated bots is global and vast. But how can merchants boost their ATO prevention efforts without alienating online customers?

It could be quite the balancing act. The pernicious and widespread impact of high-volume automated bot traffic is playing a major role in fraud that’s costing the industry billions each year.

In just the second half of 2018, more than 2.8 billion bot attacks were detected within the ThreatMetrix Digital Identity Network — with 2.1 billion of them squarely targeting merchants. More times than not, these bots are leveraging stolen login credentials used to hijack customer accounts, allowing the cybercriminals behind them to go on shopping sprees that contribute to as much as $130 billion in annual losses.

On the other hand, adding too much friction at checkout can be just as damaging to revenues, putting merchants in a serious bind. It’s growing harder than ever to deliver a convenient, low-friction online shopping experience to trusted customers.

More Swiped Data Makes ATOs Simpler

Thanks to a veritable glut of breach data, login credentials to customer retail accounts that used to cost $10 are now going for as little as $1 on the dark web. Once acquired, cybercriminals validate logins in small credential testing runs before launching credential stuffing attacks through large-scale bot offensives. Merchants that rely solely on login credentials for identity proofing could be in for a world of hurt.

CNP Defenses Make ATOs More Attractive

Thanks to enhanced protections against card not present fraud involving stolen payment card numbers, cybercriminals are capitalizing on stolen login credentials to hijack retail customer accounts and then make purchases without having to steal a card at all.

After all, purchases are far less likely to raise flags when they appear to be made by the trusted owner of an established account that has completed any number of successful transactions in the past. Today, nearly 30% of ATOs are major credit card accounts, though merchant account takeovers are climbing fast too, at 1 in 5 such events. Also growing in popularity: store-branded credit cards and loyalty accounts, which account for 11% of all ATOs, according to

Endless Options Make Friction Unforgivable

Even with all of this as a backdrop, customers still want what they want, when, where and how they want it. That means all those online and mobile shopping services you’ve been rolling out need to deliver a personalized experience with speed, convenience and consistency at every touchpoint. Up to 50% of consumers will ditch a transaction after even just 10 seconds of added friction. And step-ups? Forget about it. But it’s not like they’re willing to sacrifice security, either. An estimated $1.6 trillion changes hands each year as shoppers defect from a brand that can’t deliver the fast, secure experience they want for another that can.

Reducing ATOs – Without Losing Customers

But what can be done? How can merchants turn the tide on ATOs without seeing customers head for the exits? Here are three key recommendations.

#1 Adopt Modern, Digital Identity-Based Authentication

Today, savvier merchants are transitioning from an over-reliance on login credentials to digital identity-based user verification solutions that combine identity and threat intelligence with advanced behavioral analytics. These solutions enable businesses to instantly recognize legitimate customers so that fraudsters and bots can be automatically detected and blocked. By combining risk-based authentication (RBA) with built-in strong customer authentication (SCA) capabilities, step-ups can be reserved for the roughly 1%-2% of transactions that may require further review. Among other things, this can help cut the 57% of false declines that frustrate returning customers unnecessarily, and deliver the fast, convenient experience customers crave.

#2 Tap Into Global, Shared Identity Intelligence

A number of organizations are gravitating toward industry-specific consortiums in order to gain access to shared, global, and anonymized identity intelligence to dramatically scale their data sets with high-quality data sources. This allows merchants to instantly recognize legitimate customers, while stopping cybercriminals (and the billions of automated bots they launch each year) from logging into a customer account—even if it’s the first time they’ve ever accessed the merchant’s site or app. As senior Javelin fraud analyst Kyle Marchini tells, this kind of data draws on the experience of the entire network of businesses, “helping to identify whether there has been questionable activity associated with these attributes at other organizations, and giving merchants a broader view into the user than they would be able to accomplish on their own.”

#3 Confirm Orders, Comfort Customers

By confirming account changes by email, text and other forms of multi-factor authentication, transactions can be verified before they’re finalized, and tip you off to account takeover. Customers also get the added reassurance that they are protected—without causing purchase friction. In some regions, transaction confirmations are increasingly required before a transaction is completed. In the EU for instance, the Revised Payment Service Directive (PSD2) mandates Secure Customer Authentication (SCA) beginning this September. It’s sure to create consumer uproar at first, but look for consumers to eventually cotton to the idea—and for this kind of SCA, to continue to be adopted in other regions worldwide. Organizations that get their SCA strategy right will benefit most from a positive customer experience and engagement strategy.

Less Risk, More Reward

The impact from just these steps can be profound. Cybercriminals are less able to pirate customer accounts in order to go on illegal shopping sprees—thus reducing chargebacks, false declines and fraud losses. Customer satisfaction and loyalty increase. It really is the embodiment of speed, security, convenience and consistency that today’s digital republic demands.

In fact, organizations that have transitioned to a digital identity-based approach to account takeover prevention report cutting fraud losses by upwards of 80 percent. In the $2 trillion fight against fraud, that should give merchants plenty of incentive to turn back the tide on their own terms.

To learn more about how a digital identity-based approach to fraud prevention can help dramatically reduce account takeover (ATO) risk, download this case study from ThreatMetrix.

close btn