Cases of Account Takeover Fraud Increased 112%, Victimizing Consumers & Merchants Alike
With EMV migration well-underway in the U.S., and already complete in most of the rest of the world, classic identity theft techniques continue to grow less and less effective. Rather than focusing solely on stealing cardholder information, fraudsters turn to multiple different techniques to maximize their return.
One of the most popular new post- EMV eCommerce fraud attack strategies at the moment is known as: account takeover fraud.
What is Account Takeover Fraud?
As part of an account takeover scheme, a fraudster will use a piece of stolen personal information to attempt to gain access to a private account.
This does not have to be highly-sensitive information in the traditional sense, such as a social security number or PIN code. Fraudsters can commit an account takeover using anything from an email address to a username—any identifier used as part of the validation process can work.
The types of accounts most frequently targeted include:
- Credit Cards
- Bank Profiles
- Brokerage Accounts
- Store Loyalty Accounts
How Do Thieves Steal Account Information?
The criminal can carry out this attack method in a multitude of ways, with varying levels of sophistication. For example, a college student knows his roommate’s email address, guesses the password, logs into a site, and makes purchases.
More sophisticated, seasoned criminals will often employ a botnet—a network of computers infected by malicious software without their owners’ knowledge—in order to perform high-volume, rapid attacks. The bots will either plug-in partial information, or may try commonly-used passwords and usernames, to take over as many accounts as they can on the fraudster’s behalf.
In other cases, fraudsters might employ a keylogger—a type of malware that records which keys are pressed on a computer. Once the keylogger captures a cardholder’s information, the fraudster can use the information to access their account.
Why Do Fraudsters Use Account Takeover Tactics?
According to NuData, this type of fraud attack increased by 112% between 2014 and 2015.
Not only that, but account takeover attacks buck many of the larger fraud trends regarding who commits these crimes. For example, the most common countries of origin for account takeover are typically much more affluent than those for more conventional fraud attacks.
|Top 5 Nations of Origin: Overall Fraud||Top 5 Nations of Origin: Account Takeover Fraud|
|South Africa||Saudi Arabia|
The unpredictability of account takeover fraud, combined with the rapid growth of these attacks, makes it a very alarming trend. But why is account takeover such a popular approach?
Simply put, fraudsters have an opportunity to see a better return on their investment with an account takeover attack.
Criminals Consider ROI, Just Like Any Investor
Criminals who commit fraud using stolen cardholder information typically don’t steal the information themselves. Rather, an identity thief will steal the information, then bundle it with other cardholders’ information and sell these bundles on the black market.
Cardholders tend to notice credit card fraud relatively quickly, and once they cancel a card, the information is worthless to a fraudster.
With account information though, the criminal can simply change the user’s profile to suit their needs. They can reroute any communications sent to the account holder, thereby preventing suspicion and enabling the crime to go on much longer. In a sense, the fraudster is getting “more bang for their buck.”
Risk Factors and Consequences for Victims
Once a fraudster cracks a user’s account, this leaves all of their other important accounts vulnerable, as consumers tend to reuse the same login credentials for an array of accounts. Using the same password for a bank account, credit card account, and PayPal account will leave all three vulnerable.
The stakes are exceptionally high for account takeover fraud when it comes to bank customers. To demonstrate, imagine an individual uses the same login information for their credit card and checking account, and both accounts are thereby hit by account takeover fraud.
The cardholder will be accountable for no more than $50 in liability for the credit card, as guaranteed by federal law. However, if a fraudster were to clean out the person’s checking account, that money is gone, and unfortunately, there is no way to recover it.
At the same time, there are also consequences for merchants who unknowingly conduct transactions with these criminals. Once a cardholder discovers they’ve been the victim of account takeover fraud, the merchant can expect to see a number of chargebacks coming her way.
What Can Be Done?
There are several behaviors and policies both consumers and merchants can adopt to minimize their risks for falling victim to account takeover fraud. Consumers must protect their identity from anyone who would want to steal it while merchants must verify that shoppers are who they claim to be.
As a Consumer:
- Use Unique Passwords for Each Account: This way, even if you are hit by an account takeover, you lessen the chance that the criminals will gain access to all of your accounts, thereby minimizing the damage.
- Balance Your Bank Account Regularly: If you notice any suspicious activity, contact your financial institution immediately.
- Change Important Passwords Frequently: It’s recommended that you change passwords every four to six weeks for any account which carries sensitive information. This includes banking and credit accounts, as well as any eCommerce sites or social media profiles to which your payment information is saved.
- Use a Service like LastPass: LastPass and other comparable services will generate complex usernames and passwords, then store them securely for users.
As a Merchant:
- Use AVS & Delivery Confirmation: AVS compares the delivery address’ zip code against the billing address supplied by the issuer, while Delivery Confirmation shows that the package was delivered to the shipping address.
- Ask for the card security code: Providing this three-digit code suggests that the person using the card probably has the card in his possession.
- Take Advantage of 3D Secure Technology: Cardholders and merchants can opt-in to this program. Essentially a PIN code for card-not-present transactions, 3D Secure asks the cardholder to make up a passcode, which must then be entered for any online sale.
- Turn to Third-Party, Multilayer Solutions: In-house fraud prevention can rarely compete with outsourced resources. However, just one service isn’t enough—merchants need different solutions for different threats, including other criminal fraud attack sources like affiliate fraud and friendly fraud.
Keep in mind that none of the above are foolproof plans. Both merchants and consumers can still be vulnerable to the consequences of an account takeover.
However, by applying due caution, everyone can significantly reduce their risk of being victimized by criminals. Contact Chargebacks911® to learn more about the services we offer.