Account takeover fraud: What is it and how can you protect your ecommerce store?

Account takeover fraud is one of the fastest-growing cyber threats today.

At Risk Ident we have noted up to a 300% increase in account takeover attempts on our eCommerce customers’ webstores in just the last year alone. Recently, O2 reportedly fell victim to account takeover attacks: customer usernames and passwords were allegedly obtained by fraudsters and used to defraud genuine customers.


But where is the problem coming from?


Often, poor personal security can make it far too easy for criminals to enter genuine accounts and wreak havoc. But fraudsters are a determined collective and we are also seeing increasingly sophisticated attempts to gain login data.


Once fraudsters are operating from within genuine customer eCommerce accounts, they can hide behind that account’s positive history – this makes them very difficult to find; it is not a simple task to decipher fraudulent activity from authentic customer behaviour. In most cases, neither the account user nor the online platform realises what’s happening until it’s too late and the damage is done.


Staying secure online

Our modern demands for convenience have placed huge strains on account security. As shoppers, we want to enter as few details as possible into payment pages, particularly with mCommerce. Therefore, we tend to save our personal data in our user accounts. Also: think of the amount of personal information we leave available on our social media for anyone to find.


But loading and saving so many personal and financial details on our accounts can make it easier for hackers to buy products if they have obtained usernames and passwords.


The biggest danger comes when the fraudster uses this personal information to hijack existing accounts, masquerading as the genuine user. Usernames and passwords can be obtained from phishing attacks or malware installations, or even just by guessing easy passwords, such as ‘123456’.


Once the fraudster has taken control of the account, they can change the password to block out the legitimate user and begin causing chaos.


Spotting the needle in a thousand haystacks

An online account will often store everything a fraudster could need for eCommerce fraud, including addresses, birthdays and saved payment information. But the critical advantage of hijacking an existing account is trustworthiness.


Existing customers with a good track record are unlikely to be questioned by eCommerce merchants who appreciate their business. So-called conspicuous behaviours, like changing passwords or shipping addresses will often be innocent actions by genuine customers.


As a merchant, how can you to tell if a fraudster is in the account, or a genuine customer? A wrong move will either create fraud damage or cause false alarms: meaning a loss in revenue and a damaged relationship with the customer.

Link analysis sorts the wheat from the chaff


Once an account has been hijacked, fraudsters are keen to stay invisible for as long as possible. The good news is that there are signs that merchants can look out for, in combination with other indicators. Here are a few of them:


  • Conspicuous behaviour during the login process, like an unusual number of failed attempts,
  • A password change followed by an unusual behaviour for the customer,
  • A change of address just before ordering,
  • Deviating customer behaviour, like purchasing an unusually expensive item or a high volume of goods,
  • Login attempts from different devices or places,
  • Suspicious device configuration that tries to hide actual whereabouts,
  • Change of operating software and/or switching to an older browser version,
  • Login via a proxy server or VPN,
  • Login with an already-known suspicious device.


Once an eCommerce merchant has noted these indicators, they have two options for deciding whether or not to take action.


The first option is a rule based system. By assigning a specific score to each perceived threat, the merchant can add the scores to create a total risk score. This figure can help generate an informed estimate on whether a transaction is likely to be fraudulent or not.


The other option is machine learning technology. These systems scan vast datasets, identifying patterns and irregularities while learning from the information as they process it. New models are continually created and better algorithms are constantly evolved to perform link analysis and make more accurate decisions on fraud.


Fight back with man and machine


All over the world, fraudsters are developing their techniques and mounting new forms of attack. Machine learning software keeps eCommerce merchants ahead of the game by evolving to the changing threats and learning continuously from the available data. This makes the algorithms stronger and fraud prevention more precise.


But merchants should be aware that a machine is not a replacement for a human being with years of experience fighting fraud. Yet the two entities can complement each other perfectly. This strategy is being taken up by merchants across the world and is becoming ever more critical in the successful fight against account takeover fraud.



Roberto Valerio

Roberto Valerio

CEO, Risk Ident

Roberto Valerio is the CEO of Risk Ident, a German software engineering company specialising in fraud prevention for ecommerce, telecoms and financial services sectors. It was built from the domain knowledge of Europe’s second largest online retailer (after Amazon), the Otto Group, providing it with the data and the experience needed to spot fraud.


Roberto leads Risk Ident, a European leader in fraud prevention, by combining the passionate mentality of a start-up with the knowledge and experience of one of the world’s largest online retailers to protect online businesses from fraud. He is extremely knowledgeable about modern security threats, passionately building a team of data scientists at Risk Ident to promote software development for the modern solution to fraud.


He is an experienced public speaker, having spoken at Merchant Risk Council and Finovate events recently. Roberto is also a web entrepreneur and a technology addict with business skills in programming.

November 22, 2016

Warning: Invalid argument supplied for foreach() in /home/insigh00/public_html/wp-content/themes/enso-content/sidebars/post.php on line 37

Get the eCommerce Insights newsletter

The latest e-commerce technology Insights


Reclaim control of your Cloud Phone System [Download]

Warning: Invalid argument supplied for foreach() in /home/insigh00/public_html/wp-content/themes/enso-content/single.php on line 100