November 16, 2022 | Written by: Justin McDonald, Sr. Risk Management Consultant, The Fraud Practice
It is common for organizations to route different users or transactions through different risk screening paths, whether via a different rule set or different risk models, based on the risk profile or other characteristics of an order. This is typically a feature of effective risk management strategies, as it enables organizations to “fast-track” lower risk orders or trusted customers on a low-friction path, while reserving more scrutiny for the orders and users that need it most. Taking a similar approach when managing account takeover (ATO) risk can prove equally beneficial, as it supports ways to balance using stronger forms of authentication, which carry additional costs and friction, while erring on the side of user experience (UX) when possible.
In many ways, ATO risk management affords organizations the luxury of patience. Merchants have more time to see whether a suspicious login event leads to additional high-risk behavior, or if it turns out to be innocuous. Rather than being forced to decide whether an order attempt should be accepted, reviewed or declined immediately, an organization can allow a user to log in but with restricted account access or privileges. This “wait-and-see” approach supports a low-friction user experience, but maintains the option of presenting stronger authentication and friction later should the user try to make account changes, access profile data or use a stored payment method.
The luxury of patience is relative to an organization’s ATO risk exposure. Financial institutions, brokerages and cryptocurrency accounts must strive to stop ATO activity right away. Merchants, on the other hand, can take a more flexible approach when a login event has a moderate-to-low risk profile. It is beneficial to consider this more flexible approach and the positive impact it can have on UX, if possible, as account takeover attempts continue to increase.
In the first half of 2022, ATO activity spiked 131% year-over-year across the Sift network.
Strategies for a Layered Approach to Managing ATO Risk
The increase in ATO activity does not mean all users must suffer a deteriorating user experience. Organizations should consider the options they have for handling suspected account takeover and when to employ each option. This can range from presenting bot checks, to two-factor authentication, to freezing or locking out an account until they can reset the password from a secure email link or even a customer service call. Each of these methods presents varying degrees of operational expenses, third-party vendor expenses and strain on UX, therefore, use of such responses should be reserved by merchants.
The less considered option is to allow account access without additional (or limited) friction, but taking measures to restrict account access or capabilities until more confidence in the legitimacy of the user and their login session can be instilled. Again, this can be compared to the “fast-track” or low-risk screening model versus the higher-risk screening model, but rather than apply a different risk scoring model, users are given a different set of access privileges upon logging in. As opposed to normal risk screening for most orders and the “fast-track” path for the most trusted users or transactions, applying this type of strategy to ATO risk includes the normal experience for users with no indication of ATO risk, but a restricted access session for those with low-to-moderate ATO risk signals.
“Failing to notify users that their information has been exposed due to ATO is a critical miss for businesses. Maintaining user trust is part of protecting revenue. Without immediate awareness of an account takeover, merchants and affected users can’t take action to stop the threat from spreading. Plus, the merchant can expect to eat the cost of any associated losses. Opportunity favors fraudsters who attack poorly secured accounts. They’re granted the freedom to use customer data and stored value over time, and stay undetected while they do it. They can use that camouflage to test data, or infiltrate other accounts connected to those same compromised credentials—even on completely different sites and apps where the user owns a login. Worse, they’ll quickly realize that no one is stopping them from doing it.”
Brittany Allen, Trust and Safety Architect at Sift
Here are some strategies and considerations when taking this dynamic and layered approach to ATO risk:
Assess the account data and personally identifiable information (PII) that increase your ATO risk exposure. PII that is sensitive or sought after should be obfuscated or simply not available until further authentication is performed. For example, when the user with some ATO risk attempts to view the account details or make account changes, step-up authentication is now presented. That user could browse, add items to their cart or engage in other harmless activity without being required to first pass this additional authentication.
If the user adds items to their cart and there is some suspicion of potential ATO, they should be treated like a new user or guest checkout rather than a trusted account with rapport at checkout. This may be a customer that typically gets the “fast-track” in terms of risk screening. The problem, however, is that we aren’t entirely sure they truly are that customer. Just in case it is an unauthorized user accessing a legitimate consumer’s account, err on the side of caution by taking them off the “fast-track” or low-friction transaction risk screening path for this order.
Consider the compounding effects of risk signals. It is common for a user to ship a gift to a friend or family member and present a new shipping address. A shipping address that differs from the user’s normal shipping address and differs from their billing address is especially common during the holiday season. Whether positive or negative, risk signals need to be considered in the context of other risk signals present with a given user session or order attempt. When a new shipping address is presented on top of previous ATO risk signals at login, this exacerbates the overall risk profile and negative weighting the new shipping address should add to a risk score. Machine learning model-based risk scoring takes this confluence of risk factors into account, but this is likely overlooked with a rules-based approach.
If ATO is even slightly suspected, do not allow unabated use of stored payment credentials. At minimum, the user should be required to provide the CVV number to use a stored payment card, while the full card number remains obfuscated (showing just the last four digits). When any ATO risk signals were present at login, merchants should consider not allowing use of a stored payment method at all, rather requiring the full payment card or account number, expiration date, and CVV all be provided. The messaging to the user can remain vague, as to not accuse them of ATO, such as by saying that every so often all saved payment credentials need to be re-verified.
According to a consumer survey by Sift cited in their Q3 2022 Digital Trust and Safety Index, 42% of ATO victims had unauthorized purchases made on the impacted site using stored payment info.
How Machine Learning Risk Models Support a Layered Approach to ATO Risk Management
While the above strategies and considerations are possible using a rules-based approach to risk management, it would be difficult to implement and would require a complex set of compound logic rules just for user session and transaction attempt routing to the appropriate settings and nested rule sets. The aforementioned approaches to dynamic and layered ATO risk management would be implemented more effectively with a dynamic, model-based risk management architecture.
Consider both the models and the platform. The platform includes the operational components of designing how orders, or user sessions following each login event, will be routed. This could be routed to different models based on risk profile, or routed to different user access privileges based on ATO risk. Beyond the session routing, ATO risk exposure must be considered for transaction risk screening model selection. An example would be putting an order through higher scrutiny, even though it is normally a trusted account, because this particular user session was associated with abnormal ATO risk at login. Model-based fraud scoring can take this into consideration and route the order to the appropriate set of models, should that login session lead to an order attempt.
Model-based risk scoring services may provide other benefits with ATO and transaction risk detection when it comes to performance of the models. If a service provider supports ATO risk detection and transaction risk detection, signals detected at the login event can feed into the risk signals at transaction screening, which supports the strategy discussed above about considering the compounding effect of multiple risk signals, even when these signals are observed at different stages of the user journey.
By taking a layered and multi-faceted approach to ATO risk, just as many organizations do with transaction risk, they are able to offer a better UX for the consumers who present some ATO risk, while strategically ratcheting up screening and authentication when and where it is needed. Merchants should take advantage of the additional time they are afforded with low-to-moderate ATO risk login sessions, rather than feel the need to act and intervene immediately, as long as they can limit the risks of potential ATO through restricted account visibility or access privileges.
Sift is the leader in Digital Trust & Safety, empowering digital disruptors to Fortune 500 companies to unlock new revenue without risk. Sift dynamically prevents fraud and abuse through industry-leading technology and expertise, an unrivaled global data network of 70 billion events per month, and a commitment to long-term customer partnerships. Global brands such as Twitter, AirBnB, and Twilio rely on Sift to gain a competitive advantage in their markets. Visit us at sift.com and follow us on Twitter @GetSift.