Fraudsters are something like determined fashionistas, constantly changing their look, always hoping to surprise.
And if there were a head-turning ensemble for fraudsters this season, it would prominently feature the account takeover, as fraud rings take advantage of rich troves of stolen identity information to slip into the online accounts of unsuspecting consumers. That probably comes as no surprise given the ongoing announcements of high-profile consumer data breaches.
Account takeover assuredly isn’t new. It’s always been a go-to technique for certain fraudsters, but between 2016 and 2017 fraud losses due to this type of e-commerce crime saw an 80 percent increase, according to an analysis of billions of transactions over a two-year period by Signifyd. Fraud losses are defined as the percentage of total transactions identified as potentially fraudulent, including both successful fraud attempts and orders declined because of the suspicion of fraud.
Fraudsters obtain log-in credentials and credit card information with social engineering, by hacking databases or by simply buying them in bulk on the Dark Web, which offers batches of credit card numbers, complete with CVV attained from specialized fraud operations, expiration date and often even more personal information.
As the data shows for every industry we’ve analyzed, the massive amounts of personal data that have been hacked over the past few years may have finally come back to haunt e-commerce merchants through rising account takeover fraud losses.
Once a fraudster has the credentials to take over an account, he or she has complete control. The fraudster can change the password, locking out the rightful owner; alter the shipping address, making it easier to take delivery of a product; or modify any other aspect of the account.
Fraudsters constantly shift their methods in an attempt to stay a step ahead of fraud-prevention strategies and tools. Account takeover has been on the rise for some time, with Javelin Strategy & Research noting a 31 percent increase from 2015 to 2016, according to CNBC.
However, the significant increase last year saw account takeover losses rise from .25 percent to .45 percent of total orders, raising serious concerns among e-commerce cybersecurity experts.
The opportunity for fraudsters to break into consumers’ accounts continues to increase dramatically as the number and scope of data breaches rise. (Remember Equifax and the 148 million accounts that were breached?) When device-identification company ThreatMetrix compared data-breach activity from the third quarter of 2016 with the third quarter of 2017, it found that the number of cyber attacks it identified and thwarted had doubled.
Fraudsters are leveraging a vast online marketplace of stolen information to probe existing online consumer accounts, hoping to find their weakest link. For instance, once a fraud ring has the user name and password for one user account, it will build automated systems to test these log-in credentials across all the user’s accounts on the web. Unfortunately, most consumers continue to use the same user name and password across all their accounts—a habit fraudsters take full advantage of.
How do fraudsters actually obtain the products? While many retailers have flagging mechanisms in place when a large order closely follow a customer changing her physical address, fraudsters sometimes have the item shipped to the cardholder’s actual address and then reroute the package to a drop site during shipping. Sometimes they also ship items directly to drop sites where it will be received and then sent out for resale. Here’s a good description of how innocent people are tricked into operating drop sites for fraudsters. When fraudsters can’t have orders rerouted or shipped to their drop site, there is also the more dramatic option of porch theft, which is happening at an unprecedented scale across the country.
“What has become more and more evident this year, is that stolen identity has an almost instant impact on attacks that we see in the network,” ThreatMetrix concluded in its “2017 Q3 Cybercrime Report.” “Fraudsters capitalize on the new blood of fresh credentials, acting fast with mass identity testing bot attacks, using validated credentials to takeover trusted user accounts, open fraudulent new ones, and make a vast swath of bad payments with stolen credit card data.”
The increase in account takeover is happening at a time when online fraud in general is on the rise. Signifyd fraud index data saw a 7 percent increase in online fraud losses overall, but the rise was not evenly distributed across retail verticals.
For instance, department stores, cosmetics and perfume sellers, and jewelry and luxury watch merchants were hit hardest by account takeover fraud losses, with increases ranging from 194 percent to 285 percent. For online jewelry sites, for instance, account takeover fraud losses have now come to represent 1.24 percent of all orders
Overall, the increase in e-commerce fraud losses was hardest on cosmetic and perfume sellers, who saw a 102 percent increase between 2016 and 2017, as the sector’s fraud losses hit more than 5 percent of orders. The vertical collectively is somewhat more susceptible to fraud attacks, given significant market growth with new merchants, which tend to be more vulnerable targets than long-established players.
Department stores and jewelry and luxury watch merchants also experienced significant increases in overall e-commerce fraud losses, seeing their rates rise by 48 percent and 30 percent, respectively.
All of which raises a question: What can retailers do to stem the increase in fraud, particularly when it comes to account takeover?
Password refresh: One key thing fraudsters have going for them when it comes to account takeover is the common practice among consumers to reuse the user names and passwords on many sites across the web. Once a criminal cracks the code a world of possibilities open up. It’s important to consider requiring registered users to create a new password on a regular basis, or at least nudging them to do so on their own.
The downside is that customers are likely to feel inconvenienced. It’s better to explain the reason for the new password requirement in an approachable and friendly way. This may seem somewhat simple, but it’s generally something you see with your email or banking log-ins. It’s less frequently employed by retailers, making them easier targets.
Watch for behavior changes: Is a known customer suddenly behaving differently online? Is your registered customer coming to you from a different IP address? Is a known user heading straight to a given product, rather than browsing and considering alternatives, as he or she normally would. Are they sorting by price, starting with the most expensive items? Take extra steps to verify the identity of customers exhibiting new shopping personalities.
Help your customers: Encourage customers to use unusual passwords complete with numbers, letters and symbols. Offer your customers two-factor authentication as an extra measure of protection. Explain why the extra step is worth the extra effort. Explain the practice of phishing and explain the dangers of providing personal information in response to unsolicited emails, texts or social media contacts. Consider creating a data safety resource page, with helpful tips and resources for customers.
This is never more important than after a highly publicized breach. Often when a consumer sees a breach of hundreds of millions of consumers and is notified that they may be one of them, they often get the “needle in a haystack’ mentality. However, what consumers—and many retailers—don’t understand is the sophistication of cyber criminals today. The Dark Web is full of bad actors using technology just as sophisticated as the technology the good guys are using to fight them.
Regardless of your vertical, size, price points or practices, retailers are only half of the equation. Your customers present just as much risk to your operation as your security practices and technology do. But it’s not like you’ll be able (or would want to) blame them.
This is what makes the account takeover threat so complicated. It’s a rather unsophisticated way, comparatively, to commit fraud, but it’s quite complicated to manage. And some of its most damaging consequences are often on the customer experience end.
In the age of Amazon, where competing on price often doesn’t cut it, retailers differentiate on experience. And, if you’re finding that fraud—especially account takeover fraud—is not a customer experience problem, then you’re one of the lucky ones. But, it’s time for all online retailers to understand the current state of fraud threat, so your luck doesn’t run out.
Signifyd provides fraud-prevention services to online retailers.