May 24, 2022 | By: Justin McDonald, Sr. Risk Management Consultant, The Fraud Practice
Does your organization have a 360° view on the many risks associated with account takeover attacks? From direct financial losses, to brand risks and the lost lifetime value (LTV) of customers, just quantifying account takeover (ATO) risks is a challenge. Further, merchants must not only be concerned with ATO targeting their user accounts, but also fraudulent purchase attempts via digital wallets, Buy Now Pay Later (BNPL) and other alternative payment accounts that have been taken over by illegitimate users.
Understanding Your Organization’s ATO Risk Exposure
The first step to managing risk is to understand it. Organizations should perform an ATO audit to understand their ATO risk exposure, and reevaluate these risks every so often. Much of an organization’s ATO risk exposure stems from what type of information may be stored with, visible or usable from a user’s account. Other considerations include how and when trusted accounts may see reduced fraud screening, as well as factors such as password policies, bot checks and other risk mitigation practices at the login event. Reviewing these policies and practices can help an organization understand how valuable their user accounts are in the hands of fraudsters, suggesting how likely they are to be targeted, and help the organization gauge whether their current ATO mitigation strategy is adequate relative to their ATO risk exposure.
Direct ATO Risks
When merchants and other organizations review their account takeover exposure and risk mitigation efforts, there tends to be a focus on direct ATO attacks. This refers to when bad actors takeover user accounts under the custodianship of the merchant or organization, which could be leveraged by the fraudster to scrape users’ personally identifiable information (PII), make a purchase from the account with their payment instruments or other schemes.
According to a consumer survey by Sift, 45% of ATO victims had money stolen from them directly, 42% had stored payment devices used to make unauthorized purchases and 26% lost loyalty or rewards points.
These direct ATO attacks tend to have the most direct impact on the organization, and therefore receive the most attention in terms of efforts focused on thwarting ATO. An unauthorized user accessing an account and its payment credentials to make purchases will lead to chargebacks, while forcing the legitimate user to reset their password to unfreeze their account creates friction, at minimum, but often disdain and contempt towards the merchant in response. The financial and brand risks are felt most directly with direct ATO attacks and, although more difficult to quantify, the losses associated with brand risks are also severe.
According to a survey from Sift, 74% of consumers will stop using their account if they suffer account takeover on a specific site or app.
Peripheral ATO Risks
Merchants are less likely to recognize the potential fallout from peripheral ATO attacks. These are account takeover events that originate elsewhere but ultimately impact the merchant, such as when a consumer’s digital wallet or alternative payment account suffers account takeover and is then used to make unauthorized purchases from an unsuspecting merchant. Although merchants have a degree of separation from where the ATO attack originated, the associated risks are often the same or nearly as high.
There are multiple challenges merchants face with peripheral ATO attacks. First is that detecting signals of elevated risk is more difficult as there are typically fewer risk signals to leverage when a user makes a purchase via a digital wallet or alternative payment method as opposed to directly providing their payment credentials. Many digital wallets protect consumer privacy and share fewer details than would be provided by a customer entering their payment credentials directly. This provides fewer data points for identity checks and comparison against other order details. Additionally, a merchant may only see that a user successfully authenticated with their digital wallet, BNPL or other payment provider with little-to-no other detail. When a user logs in with a merchant’s site directly, there are many signals such as IP address and device information that can be compared to previous login activity, either legitimizing or questioning the validity of this particular login event.
The other great challenge is the fact that peripheral ATO attacks are increasing at an alarming rate. Sift reported in their Q1 2022 Digital Trust & Safety Index that payment fraud attempts targeting digital wallets were up 200% from 2020 to 2021 while BNPL providers saw a 54% increase. Attempted payment fraud across Sift’s global network was up across the board in 2021 relative to 2020, but the attempted fraud against digital wallets was more than eight times as large, and fraud attempts against BNPL providers was nearly twice as large, as the 23% overall increase in attempted payment fraud.
“Businesses need to deploy machine learning (ML) solutions that detect ATO and other types of fraud in real-time so the company can take action before there is significant exposure. Think about how your company can implement Dynamic Friction to enable the 99% of trusted users on your site or platform to interact with your brand safely and with the least amount of frustration.”
Brittany Allen, Sift Trust and Safety Architect and one of the ETA’s 2022 “Forty Under 40” representing innovators in the payments industry
Don’t Ignore the Threat of Peripheral ATO Attacks
Those of us in the fraud and payments industry know the inner workings of digital payments and fraud so well that we often forget how unfamiliar the general public is with these topics. Consumers outside of this niche often displace their resentment and blame when suffering identity fraud or ATO, something that is deeply personal. Case in point: A card issuer suffers a major data breach, but when the consumer’s payment card is used at a major electronics retailer the consumer decides to never shop at that retailer again while never thinking twice about continuing to use the reissued credit card.
The same is true with peripheral ATO attacks against digital wallets, BNPL and alternative payment providers. Consumers may be upset with both the digital wallet and the merchant who allowed the purchase, but the brand risk and fallout can be strong and long lasting against the merchant in particular. This presents a challenge to merchants that often have less identity and risk data to leverage when consumers use these alternative payment methods. The silver lining is that some digital wallets and BNPL providers may bear the burden of fraud losses, but that doesn’t mean merchants can blindly accept all of these orders.
Keep this in mind: Consumers using certain digital wallets and BNPL providers may present reduced direct financial risk in cases of peripheral ATO and fraud, but the brand risks and potential loss of customer lifetime value is still just as strong.
Sift is the leader in Digital Trust & Safety, empowering digital disruptors to Fortune 500 companies to unlock new revenue without risk. Sift dynamically prevents fraud and abuse through industry-leading technology and expertise, an unrivaled global data network of 70 billion events per month, and a commitment to long-term customer partnerships. Global brands such as Twitter, AirBnB, and Twilio rely on Sift to gain a competitive advantage in their markets. Visit us at sift.com and follow us on Twitter @GetSift.