ATO: The Threat of Compromise

When evaluating a fraud prevention strategy for your business, it’s important to consider the myriad of ways bad actors can attempt to defraud you.

In a previous post, we discussed edge cases, which are customer transactions too complicated for a machine learning (ML) fraud prevention model to accurately decision. These edge cases are best handled by a human intelligence team conducting manual review.

One particularly evasive type of edge case is the account takeover (ATO), where bad actors compromise existing accounts rather than creating new ones.

According to the MRC 2023 Ecommerce Payments and Fraud Report, account takeover (ATO) is the 6^th most common type of fraud, with 27% of merchants having been impacted by it in 2023 so far. This type of fraud is most common in the LATAM region and in Enterprise-size businesses.

ATO vs the Machines

As with other types of edge cases, ATO cannot be accurately detected by ML models. This is for a variety of interconnected reasons. To start, ATO fraud is complicated, and ML models do much better with straightforward fraud. This issue is exasperated by the limited number of ATO cases that can be fed to the ML for training. ATO is a persistent and growing thorn in the side of ecommerce platforms, but fraud from newly created accounts is still more prevalent. With ATO being more complicated and with less data to train the models, ML simply cannot keep up.

Even if ML models were up to the challenge, many merchants restrict monitoring to new accounts, with scrutiny peaking between the time of account creation and initial purchase or signup. This timeframe is where fraud from new accounts is most likely to be identified, so the focus here makes sense.

But ATO has not usually occurred yet at this stage, as it usually impacts more established accounts. That’s a deliberate choice on the part of bad actors – they know there is less scrutiny on established accounts so the ones who want to bypass fraud detection systems put their attention on compromising accounts that have already been through initial inspection (either by ML or manual review).

There are other perks to compromising an established account, as these accounts are frequently awarded freedoms and benefits that would not be given to a newer account – such as higher billing thresholds (particularly for post-pay services), rewards points, and access to more expensive or exclusive product catalogs. These established accounts have built up trust with the merchant and are presumed to be trustworthy. This is exactly what makes them ideal targets for ATO from bad actors.

Detecting ATO

With ML at a disadvantage, merchants find that ATO detection is most successful when driven by a human intelligence team. One place for your team to start may be setting up anomaly detection alerts. This can be done manually, through rule-stacks, or with AI – depending on your unique situation.

Anomaly Alerts

A smaller business with a smaller customer base may find manual anomaly tracking sufficient. An enterprise-sized business may find anomaly alerting an ideal job for a specially-trained ML model. This model should be focused on learning typical customer behavior such as spending trends for different account types. When an account deviates from these norms, the model can flag the account for manual review.

Manual review is recommended in these cases to prevent potential false positives (errant account closures) by an ML model. There could be many legitimate reasons for a spike outside of normal parameters, and a human intelligence team is in the best position to be able to seek those reasons out.

Alerts can also be set on other patterns of normal customer behavior such as login activity, purchase frequency, and other account traffic markers.

Customer Support

ATO is also frequently detected through customer reporting. Most businesses have some form of customer support through which customers can raise concerns about their accounts. To properly respond to ATO concerns, this customer support team should either be trained in fraud detection or be in coordination with a team who can fill that need.

Specific training in ATO detection and account recovery is necessary here to provide the best customer experience possible. Customers who notice suspicious activity on their accounts (or who have been locked out of their accounts entirely due to takeover) will have concerns that need to be addressed, both physically and mentally.

Your team needs to be able to recover the account quickly and then provide the customer with the assurance they need to feel safe doing business on your platform in the future. Empathy is important; your team needs to realize this is a scary situation for the customer, and that correct handling of the situation can make the difference between brand loyalty and losing a customer.

Indicators of ATO

Apart from the customer loyalty – and, by extension, brand reputation – implications of ATO mentioned above, your business may also be liable for chargebacks on purchases made from a compromised account. That’s why it’s important for your team to detect and contain ATO early in its lifecycle.

One early sign of potential ATO is a sudden change in login location, especially if it’s from an unknown device. If login activity is not tracked on your platform, there are other ways to detect potential ATO. Bad actors, having gained access to an account, will frequently take action to prevent recovery by the legitimate account owner – including changing the account password or other account data such as the email associated to the account. The payment instrument, however, will normally be left as-is so the bad actor can take advantage of making purchases on someone else’s tab.

On storefronts, accounts that have been compromised will frequently change purchasing pattern (either to suddenly buying large dollar items or to buying a high quantity of lower dollar items). On marketplaces where the customer is selling or advertising something, you could expect to see product or ad content change as the bad actor takes advantage of the legitimate account’s established traffic to further their own agendas.

It’s important to remember that ATO is rarely the action of individuals. This is a concentrated fraud attack driven by an organized fraud ring, and their end goal is to use compromised accounts to make money. Bad actors actually spend money to compromise your account (buying stolen information on the dark web, for example), so they need to keep the account under their control long enough to turn a profit. Your team’s fraud prevention goal should be to shut these bad actors down before that can happen, and to return the account to the customer as quickly as possible.

But of course, even with the indicators listed above, ATO is never a foregone conclusion. Legitimate customer behavior can and does include suddenly logging in from new locations on new devices, or suddenly changing purchase patterns. Human behavior is complex, and it takes an experienced eye to differentiate ATO from legitimate changes. This is why we recommend a full manual review by a human intelligence team on these anomalies rather than relying solely on an ML model or AI.

Containing the ATO

As mentioned earlier, having a customer support team trained in handling ATO is crucial to customer retention. This point comes even more into focus when talking about compromise containment. After an ATO has been detected, the next logical step is to try to return control of the account back to the legitimate account owner.

Usually this will involve suspending the account temporarily to lock out the bad actor. You’ll need to work with the legitimate customer to grant them access and most likely walk them through resetting their password. If the account is related to an advertising or marketplace platform, your customer support team may need to work closely with the legitimate customer to identify and remove anything the bad actor may have changed or added while the account was in their control.

Customers will also expect to be refunded in these situations for any money the bad actor spent using the customer’s payment instrument. Providing refunds up front at this point will not only provide better customer experience, but it will prevent chargebacks down the line for those amounts spent.

Keeping Your Customers Safe

Bad actors generally compromise accounts by using credential lists of usernames and passwords purchased on the dark web. These lists have traditionally been generated from information stolen during data breaches.

While this is still prevalent, SpyCloud’s 2023 Annual Identity Exposure Report indicates another rising trend: 48.5% of exposed credentials in 2022 were stolen using infostealer malware programs distributed via botnets. These programs are designed to infiltrate your machine or system and collect information – particularly credentials and other information from browser session cookies. This new method may be cheaper than traditional data breaches and can provide fresher stolen data than can often be found in many dark web credentials lists.

So what can you do to keep your customers safe against attacks like these? The most important step is to put a robust fraud prevention strategy in place – one that includes a human intelligence team to drive anomaly creation and review, as well as manage customer experience. Your human intelligence and customer outreach teams should also focus on customer education. Many customers are concerned about internet and data security, but most don’t know how to become more secure.

Your team should be empowered to help with this by providing practical advice to customers:

• Customers should use complex passwords. According to SpyCloud’s report, the number one most reused password in government agencies is ‘123456’. Trends are similar for the general public. This is an issue because, according to one source, passwords like these can be cracked in under one second.
• Customers are particularly at risk if they reuse passwords – and unfortunately, many people do. Referring back to SpyCloud’s report, there was a 72% password reuse rate among those impacted by data breaches in 2022.
• The best way for customers to keep their passwords (and their data) secure is to use reputable password management software. Forbes recently released a list of suggestions on which managers are best.
• With infostealer malware focused heavily on browser session cookies, customers should clear their browser cache and cookies often. LinkedIn suggests clearing them at least once a month, though more often would be better.
• Customers should also turn off autofill data and refrain from saving passwords in their browsers. This will limit the amount of data a bad actor can harvest if your system becomes infected with malware.

Beyond these steps, we’d also suggest implementing multifactor authentication on your platform. In fact, if you haven’t done so already, we’d suggest implementing Strong Customer Authentication (SCA), which is required for doing business within the European Economic Area or EU. SCA isn’t required globally, but MRC reports that about 50% of merchants have completed implementation, and it’s likely this will become industry standard.

Account takeover is a persistent issue for merchants and customers alike, causing fraud loss, reputation damage, and potentially shaking brand loyalty. But with your help – and the help of a human intelligence team driving fraud prevention strategy – your customers can be assured that you’re doing everything in your power to keep them and their accounts safe.