Last week we touched on the top fraud problems retailers have to deal with. Since then, we’ve heard repeated questions about several of these topics. This week, after seeing many discussions about hacked accounts following PayPal and Lenovo’s password-killer announcement, we’d like to touch on the Account Take-Over problem, or ATO for short.
Retailers have returning customers and in fact, after a while most of the regular purchase volume, outside of promotions and special cases, comes from loyal customers. Part of the convenience offered to customers is the ability to remember, or save, their payment and shipment data in their own account, and sometimes even get rewarded by promotions and gift cards. As a result, many of these accounts hold a lot of value for fraudsters, who target your customers to get their passwords and use their details to make a purchase. Unauthorized use is a big problem and it’s growing fast, especially for larger retailers.
How do you manage and reduce this kind of fraud? Is a retina scan, a finger print or other biometrics check the answer? While these can reduce fraud, they also create a big challenge for the consumer since they require specific hardware and sign up processes. Any time retailers and gaming companies have tried to go through a process like this, it has experienced very limited success due to cost, and also because you cannot really educate all of your customers and many of them will make very simple mistakes, such as answering phishing emails.
What can be done? In Signifyd, we use advanced modeling to identify who’s involved in a specific purchase, and by that not only approve more purchases but also identify hacked accounts. Let’s look at our top few tips on managing ATO.
- Passwords still rule. Give your customers some basic rules for password strength, and make sure that you store those correctly, in an encrypted file and not plain text (and this is based on experience). Don’t make it too complicated, though: complicated rules yield hard to remember passwords that end up either being kept in plain sight so the customer can remember them, or over-use of the “forgot password flow”.
- Make sure your password recovery flow is secured. Often retailers tackle this by creating a complicated recovery flow that requires additional security questions and a phone call to customer care. That’s not necessarily the case; creating a simple password recovery flow but limiting what actions can be done immediately after recovery limits the risk while not alienating customers.
- Detecting breaches isn’t about having the strongest door. Fraudsters will find a way to tailgate customers through the front door, and open window or a crack in the ceiling. What do you do when they’re already in? One of the great things about these accounts is that you have history: purchases, times of day customers log in, IPs and more. To better detect fraud, look for changes in patterns: connecting from a completely different system, adding an unrelated shipping address, logging in and buying in completely new hours and days.
- Remember that a change of pattern is not always bad. Soldiers get deployed, workers go on vacation and kids go to school. Whenever you detect a change of pattern, look at it to understand whether it makes sense or not; many of those do, and will allow you to approve purchases your competitors cannot.
Having a strong enough front door and boosting pattern recognition – for both good and bad pattern detection – will get you through most of the challenges when dealing with ATO. Using Signifyd’s graph traversal technology, specifically focused on pattern recognition and analysis, we’ve seen ATO drop by up to 80% in some cases.