Account Takeover Fraud

Table of Contents

1. What Is Account Takeover Fraud?
2. How Can Merchants Prevent Account Takeover Fraud?
3. How Should Merchants Handle Account Takeover Fraud?

Along with credit card fraud, account takeover fraud is one of the most common threats faced by e-commerce merchants. Enterprise merchants are especially vulnerable, since the larger a business is, the more likely fraudsters are to launch phishing attacks impersonating that business. To make matters worse, account takeover fraud is far more difficult to detect and prevent than credit card fraud.

When a customer discovers that their account has been compromised and used to make fraudulent orders, they'll file a chargeback. They're also likely to blame the merchant for the breach, even if it was them who unknowingly led the fraudster in. When a customer loses trust in a merchant to keep their information secure, they're unlikely to do business with that merchant again. What do merchants need to know about account takeover fraud, how to detect it, and how to prevent their customers from falling victim?

Fraud often manifests as an external threat: a fraudster acquires a stolen credit card, targets a vulnerable (or lucrative) merchant, and creates a new account. Frequently, they will engage in card testing before placing a larger or more costly order. Many of the most effective anti-fraud tools are designed to prevent this from happening by identifying fraud indicators or unusual orders originating from new accounts.

Account takeover fraud uses existing accounts that already have an order history and saved payment credentials, bypassing many common fraud detection methods. If your anti-fraud measures don’t include protections against account takeover fraud, that’s like having a house with a deadbolt, security camera, and guard dog at the front door—and an unlocked screen door in the back.

To commit account takeover fraud, all a fraudster needs is the means to access a legitimate customer’s account on an e-commerce site. Usually, this only requires a username and password. Usernames can be easy to find or guess—many sites make email addresses the customer’s default username—so the real challenge for the fraudster is to obtain a valid password for a known account.

There are endless ways for a fraudster to figure out somebody’s password, but here are a few of the most common methods:

Phishing

Phishing is one of the most common ways fraudsters obtain credit card numbers, personal information, and passwords. Even if a phishing email is so obvious that 99.9% of people won't fall for it, it's not difficult for fraudsters to send out tens of millions of these emails, resulting in tens of thousands of replies.

While payment credentials themselves are a common target of phishing emails, larger e-commerce merchants often find their customers specifically targeted.

For example, a fraudster might create a login page designed to look exactly like PayPal's, then send an email that appears to be from PayPal asking the recipient to click the link and log in. Anyone who does so gives their real account information to the fraudster.

Credential Stuffing

The internet is a big part of our lives now, and that means that the typical individual has dozens of different account login and password combinations to keep track of. Many people give up on best security practices and choose login credentials they can easily remember, which means they reuse a lot of the same usernames and passwords for different sites.

This is great news for fraudsters, who can often gain access to multiple accounts if they can find one working set of credentials. “Credential stuffing” refers to the practice of trying out a set of known credentials on multiple websites, often with the help of automated bots. A password stolen from a low-security site may lead to an account on a site with better security being compromised.

Credential Cracking

Credential cracking is what's commonly referred to as a “brute force” attack. This involves trying to guess the correct password to an account by using automated software that makes multiple login attempts with a different password each time.

The key difference between credential stuffing and credential cracking is that the former takes a valid set of credentials and tries to guess which sites they can be used to access, while the latter takes a specific target and tries to guess what password will work on it.

Credential cracking bots might use lists of dictionary words, previously stolen passwords, commonly used passwords, or other data sources to inform their password guesses.

Once the fraudster is inside the hacked customer account, there are various ways they can exploit it for personal gain, depending on the nature of the site. Some fraudsters will discreetly log out and sell the verified credentials to other criminals on the dark web, others will change the customer’s shipping address and place orders for things they can keep or resell.

Unfortunately for merchants, you can see from the takeover methods discussed above that the biggest point of vulnerability for account takeover fraud is the customers themselves. Complex passwords can be hard to keep track of, and while customers might use strong passwords for their online bank accounts and email, they’re likely to go for something simple and easy to remember when they’re signing up to place a quick order with an e-commerce site.

As a merchant, you have the power to require strong passwords, two-factor authentication, CAPTCHAs, and other added security protocols for your site.

Some customers may be put off by too much security, so merchants must always carefully weigh how much friction they can get away with adding to their customers’ experience.

Just remember, when a customer becomes a victim of account takeover fraud, there’s almost always a part of them that will be angry with the merchant for not doing a better job of protecting them—even if their password was password1234. You have to be realistic about the damage that fraud can potentially do not just to your revenue but to your reputation.

Network tools can help you identify and block the traffic associated with malicious bots, which will often hail from the same suspicious IP address or geolocation. The telltale signs of account takeover attempts aren’t that hard to spot; you’ll typically see lots of failed login attempts with both stuffing and cracking attacks, and password or shipping address changes often follow a successful attack. By monitoring your network and order activity, you can establish processes to investigate and respond to account takeover fraud.

While merchants should verify these claims by examining network traffic and access logs, the last thing you want to do is stonewall them until they go to their bank to demand a chargeback.

Defending against account takeover fraud can take more time and attention than many busy merchants have, but security experts like the team at Chargeback Gurus can help you implement monitoring and response procedures as part of developing an overarching strategy of fraud and chargeback prevention.

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com