Skip navigation
Online shopping

Move Over, ID Theft: Account Takeover Fraud Is Rising

Bad actors using account takeover fraud, or ATO fraud, are moving beyond the point of checkout.

Online fraud attacks jumped 13 percent last year as cybercriminals began to shift more of their focus from stealing a person’s identity to taking over their individual accounts--otherwise known as account takeover, or ATO, according to a recent report from Forter, an e-commerce fraud prevention company.

The fifth edition of Forter’s Fraud Attack Index also indicated that the massive breaches from 2017 – including the breach at credit reporting firm Equifax, in which as many as 147.9 million customers had their personal data exposed--helped fuel the 31 percent increase in account takeover (ATO) attempts.

“The enormous data breaches of 2017 highlight that all businesses, even the very biggest, have the potential to be penetrated by opportunistic fraudsters,” Forter co-Founder and CEO Michael Reitblat told ITPro Today in an email. “When these large-scale breaches occur, the dark web marketplaces are saturated with extremely rich private customer data, ripe for the fraudster buyer. There was a strong correlation between the timing of the data breaches in 2017 to the number of ATOs later reported.”

That correlation was highlighted by a 53 percent spike in ATOs in the third quarter over the previous quarter, Reitblat said.

Overall, the Forter report paints a picture of a fraud industry that is becoming more sophisticated and that is expanding its target vectors beyond the point of checkout to cover all the steps customers take when interacting with online businesses. It also points to the need for online businesses to move away from often-manual legacy security systems to products that are faster and more automated, as well as to evaluate and adopt new technologies, including artificial intelligence and machine learning.

“The largest cybersecurity risk for many businesses revolves around human factors and employee behaviors,” Reitblat said. “Phishing attacks are one of the most simple and effective means by which employees inadvertently expose company data. By adopting automated technology solutions, merchants can cut down on the number of individuals that have access to data, thus making them less exposed to a breach.”

The shift from stealing customers’ personal identities to taking over their accounts is an example of the rapid evolution in fraud that e-commerce businesses are facing. Fraudsters can get their hands on all sorts of personal data--including a customer’s full name, address, credit card numbers and PINs--but such attacks are often easy to spot and to stop, the CEO said. On the other hand, ATOs often are more profitable. Fraudsters can exploit account payment information, but they also can empty accounts of reward or loyalty points that may have accrued, which can be done with neither the customer nor the retailer noticing. This gives the hackers more time to exploit the account before suspicions are raised.

“Account details are easier to exploit by virtue of the fact that far fewer retailers have ample fraud prevention in place to detect these kinds of subtle yet effective attacks,” Reiblat said. “Retailers often emphasize fraud prevention solutions that protect the point of transaction but fail to have any kind of measures in place to protect the rest of the customer journey.”

With bad actors expanding the different areas of the online commerce they are attacking, there also is a rise in policy abuse, which includes cheating retailers via coupons, returns, discount code, reward programs and other methods, according to Forter’s report. In 2017, the company saw 200,000 policy abusers. Return abuse--incidents in which people return goods after using them--increased 119 percent since the beginning of 2017. Coupon abuse also surged during the year, jumping 217 percent.

“From the moment a customer logs onto a website, all the way through to purchasing or returning merchandise, the shopping journey is rich and simultaneously vulnerable to methods of attack and exploitation,” Reiblat said. “Fraud professionals need to be aware of the other pain points beyond the point of transaction and how best to prevent them from being exploited.”

Forter officials in the report said online retailers need to take steps now to bolster and modernize their defenses to keep up with the rapidly changing fraud environment. The CEO noted the growing use of bots that overload manual review queues “with fraudulent actors engaging on a site and exploiting the system’s sluggish responses and inability to accurately ‘spot the bot’ from the good user. Manual fraud reviews simply won’t cut it when thousands of bots can attack within milliseconds of one another, blending into good customer traffic.”

Noted Reiblat: “Retailers know that transactional fraud is a point of vulnerability, and they have put defenses in place to counteract these attacks. "As such, fraudsters are learning to exploit retailers throughout the customer journey.”

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.