The Simility Blog
How to Stop Account Takeover Attacks in Their Tracks
Jayan TharayilFebruary 25, 2020
Twenty-first century consumers live much of their lives online. To do so, they open accounts with a variety of internet-based companies — everything from banks, insurers, and social media providers to e-commerce stores. This makes life easier, with card details, loyalty points and personal information all stored in such accounts. But what happens when the bad guys manage to crack them open? They could have free reign to steal contact and payment details, make fraudulent purchases and even drain bank accounts.
We are now living in an era of “industrial-scale” account takeover (ATO) attacks like this, according to Aite Group.i Tackling this digital challenge will require banks, e-tailers and other businesses to be more proactive in applying preventative controls, starting with data-centric fraud prevention tools.
A Brief History Of ATO
It wasn’t always this way. Back in the early 2000s, cloned credit/debit cards and fraudulent checks were the predominant concern for US businesses. Then several related trends created a perfect storm for ATO to flourish. According to Aite Group, the first big catalyst was EMV, which threatened the business of fraudsters using counterfeit cards to make a living. Then came the gradual growth of online services and accounts, and consumer data began to flood the web. Hackers got wise to this lucrative new digital currency, personally identifiable information (PII), and online marketplaces selling and aggregating identity packages began to thrive.
Over the past two or three years, industrial-scale ATO has emerged as a result of rapid growth in digital services, the sheer volume of compromised identity information, including account logins, available on the dark web, and automated account cracking tools like credential stuffing scripts. Not only have attackers been able to leverage these to compromise accounts en masse, but they have also been able to set-up “drop accounts” at scale to deposit stolen funds into, according to Aite Group. Consequently, some affected banks have seen a 10-fold surge in ATO attacks.
The problem with ATO from the perspective of a victim business is that it’s hard to spot, because the attackers are using legitimate logins to pose as real customers. But it’s crucial that businesses find an effective way to detect imposters because there are multiple repercussions from large-scale ATO attacks:
- Customer Attrition and brand damage. Aite Group claims its possible for businesses to see thousands of clients terminate their relationship within just weeks
- Losses from customer reimbursements
- Losses from fraud tools that add extra friction, causing basket drop-outs
- Operational overheads due to extra call center burden from disgruntled customers
- Fraud admin overheads from failing tools that flag too many manual reviews
It’s vital that businesses find a way to proactively prevent this kind of ATO storm. Educating customers about best practices in security, especially around the use of passwords, is a good place to start.
The Simility Difference
Balancing customer experience while soundly defending account safety can only be optimized by a fraud prevention stack incorporating adaptive machine-learning and device recon capabilities. This allows businesses to detect anomalies outside of the typical user or network behaviors and apply all available contextual data to make an accurate decision in real-time.
To effectively tackle ATO fraud, businesses need to focus on gaining a 360-degree view of each customer. The best way of doing this is to find solutions that leverage data lake technology to combine multiple data sources and easily add more over time. This coupled with the power of machine learning to make sense of this data and spot anomalous patterns human eyes might miss — learning and evolving as those patterns change.
This is exactly what Simility’s industry recognized Adaptive Decisioning Platform does. We have the capabilities to automatically detect and block ATO attempts in real time without impacting the customer experience. It’s seamless fraud prevention where you need it most to help protect profits and preserve brand reputation.