Account Takeover: An Evolution In eCommerce Fraud

 

Place a stone in a stream and the water will flow on around it, diverted from its path but not from its destination. Unfortunately, fraud defenses work the same way. Shore up against one type of threat and those clever, fluid fraudsters will always find a way around.

According to Sourabh Kothari, Signifyd director of Merchant Advocacy, that’s why account takeover has become such a popular method of fraud.

Though stolen financials still reign supreme, comprising 95 percent of eCommerce fraud, Kothari said that merchants, platforms and payment processors have wised up in recent years, making it more cumbersome for fraudsters to succeed with this more traditional approach.

PYMNTS and Signifyd jointly produce the Global Fraud Index, which looks at more than 5,000 eCommerce merchants across Europe, North America and Asia, to see which types of fraud are being carried out and in which segments they’re being perpetrated.

Now, in a new podcast series featuring Kothari and Karen Webster, the two companies dive deeper to share insights, trends and data analyzing root causes, effects and the best defenses against fraud available to merchants. Episode One starts with a bird’s-eye view of the issue.

 

The Takeover of Account Takeover

The Global Fraud Index showed a 45 percent increase in account takeover in Q2. That may sound like a lot — and, due to its timing, it may appear to be connected to the massive data breach at Equifax — but Kothari said the problem has been brewing for a long time. Equifax just brought attention to it.

In fact, said Kothari, five of the eight industries covered by the Index saw a significant rise in account takeover fraud across the first half of the year. As for the other three, two of them (jewelry and furniture) were already facing significant challenges in this area.

Account takeover was once reserved for high-end products: designer fashion, drones and other expensive electronics, luxury perfumes and cosmetics. However, now it’s growing rapidly in the $100 to $500 transaction range, causing the method to spike across many more transactions in apparel and consumer electronics. Kothari is expecting a particular spike in these industries and in high-end perfume and cosmetics this holiday season.

Kothari said the only industry among those tracked in the Global Fraud Index that was not facing a sharp increase in account takeover fraud was alcohol, tobacco and cannabis, where stolen financials are still generating enough success to keep fraudsters in business.

 

The Difference Between Stolen Financials and Account Takeover

Stolen financials are classic fraud, the proverbial “snatch and grab,” Kothari said. Simply put, criminals use someone else’s credit card information to transact and have goods delivered to them.

The problem with this method (from a fraudster’s perspective) is that everybody knows about it. Merchants, eCommerce platforms and payment processors have learned to expect this type of fraud, so when they invest in new defenses, they focus on identifying, preventing and stopping stolen financial fraud. And they’ve apparently done a pretty good job, leading many criminal syndicates to develop new strategies.

With account takeover, the fraudster takes control of one or more of a customer’s accounts — typically including the user’s email account, so that any correspondence about security, account details or password resets will go to him instead of the rightful recipient.

When account takeover is performed successfully, the retailer just sees an existing customer with a good track record placing an order being shipped to a new location. Customers with a longstanding relationship with a merchant may already have multiple addresses on file, anyway, Kothari noted. If the address is the only element that looks different, the transaction won’t raise any red flags, because that’s all the merchant sees.

That makes this type of fraud very difficult for merchants to identify and mitigate, said Kothari, and that, in turn, gives it a higher success rate than stolen financials.

From the consumer’s point of view, it may not be obvious that someone else has logged in or used their account, especially if the fraudster was smart and targeted a seldom-used account. Kothari said criminals can optimize this strategy by going after, say, the account where a customer autopays their water bill, which they visit once or twice a year.

Once they’ve determined the correct email and password combination, said Kothari, they can take that knowledge to other sites — because, unfortunately, most people have poor security hygiene and recycle passwords across many sites rather than coming up with a unique one for each account.

Kothari noted that all of this has been made even easier as the amount of personal data available to fraudsters continues to grow and as more identifying credentials make their way onto the Dark Web following data breaches like the one at Equifax.

With stolen financials, said Kothari, one merchant takes the hit and consumers get their money back, whereas with account takeover consumers may see fraud across multiple accounts.

“The merchant is a victim as much as the consumer,” observed Webster. “Consumers and retailers are on the wrong side of cybercrooks — and we need to unite and fight back with better data.”

 

The Difference Between Account Takeover and Friendly Fraud

Kothari made a simple distinction between these two tactics. With account takeover, the shipping address changes. With friendly fraud, the shipping address remains the same while the consumer/fraudster challenges one or more transactions, Kothari said.

In addition, while merchants may not be able to see it, underlying transaction data (actual IP address, device data, etc.) for friendly fraud originates from the actual customer, whereas account takeover activity originates from a member of a criminal syndicate hundreds or thousands of miles away who’s trying their best to mask their activity.

Friendly fraud may be difficult for merchants to identify, but Kothari said retailers have made strides toward reducing it by making it easier for legitimate customers to resolve issues and complete returns so they don’t feel compelled to have their bank issue a chargeback (as their only recourse). This has helped weed out accidental friendly fraud from those who are deliberately abusing the system.

“The retailer isn’t doing anything wrong,” Kothari said. “Most retailers can’t be expected to identify account takeover the way we do [at Signifyd], since merchants can only see what they’re transacting or what is presented to them by their eCommerce platform.”

Consumers, Kothari said, can help reduce and prevent account takeover fraud across all merchants by setting stronger passwords that do not contain common words or plain text. Most of all, the use of unique passwords for each account will reduce the impact from account takeover for all of us.

He admits it’s inconvenient, but it makes a significant difference. Until a better authentication technique ousts the static password, he said, it’s the best thing we’ve got.