Tracy Metzger, chief operating officer, Vesta

Following a data breach of historic proportions at Equifax, consumers have been scrambling to protect their financial accounts and sensitive personal information. According to the Federal Trade Commission, 143 million American consumers had their identifying data exposed when criminals hacked into one of the nation’s largest credit reporting agencies.

The hackers accessed names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. The sheer volume of information stolen in the breach, which lasted from mid-May through July, has presented an incredible opportunity for fraudsters to repurpose those credentials and defraud retailers. However, it’s important for e-commerce merchants to recognize where their greatest dangers lie.

The Biggest Risk for Retailers Isn’t Stolen Credit Cards

The good news is that a sharp increase in unauthorized transactions from “stolen” credit cards is not expected. The vast majority of the stolen data included static, personally identifiable information—not dynamic credit card credential data.

In this vein, retailers shouldn’t expect to see spikes in phony credit card transactions in the near future. Retailers should, however, expect an increase in account takeover (ATO) attempts…in due time.

The smart fraudsters know that retailers, card companies and regulators are on high alert now. They and their criminal syndicates will likely stash the stolen information and gradually misuse it in account takeover and other fraudulent attempts months down the line.

How ATO Works

Account takeovers occur when fraudsters use another person’s existing account information (e.g., username and password) to obtain products or services. ATO differs from typical unauthorized transactions in that the criminals use stolen account data (name, email, address, for instance) to take control of a customer’s account by resetting the username and password. They often change the physical address or phone number listed on the account as well to prevent the legitimate accountholder from discovering the theft.

Account takeover often takes longer to detect than other fraud types, as it can be more difficult to confirm that type of fraudulent activity occurred. Frequently, consumers do not realize ATO has happened until their retailer account rewards are depleted or charges to a saved credit card show up at the end of a billing cycle.

Javelin Strategy & Research’s most recent survey of retail fraud found that in 2017, account takeover fraud cost the average e-commerce retailer nearly $285,000. Given the incredible amount of data stolen in the Equifax hack, that number should rise significantly in 2018.

How to Combat ATO

Knowledge-based authentication questions (“What is your mother’s middle name?”) may not fully distinguish between the real customer and the fraudster if the latter has obtained sufficient data on the real customer to successfully answer the security questions.

On the other hand, device-recognition technologies, session analytics, and behaviometrics can be effective methods of combating account takeover fraud. A primary benefit of these methods is that they remain largely invisible to the customer, thereby contributing to fraud prevention with minimal disruption to the customer shopping experience.

Leveraging these newer fraud-management techniques does require retailers to increase their fraud technology spending to facilitate real-time integration into their authorization systems. But given the likelihood that the Equifax breach won’t be the last—or even the largest—of its type, these investments may be money well spent.

Vesta provides fraud-prevention and payment services to e-commerce companies.