Payten

Battling ATO fraud is not an easy task, but there are ways to identify potential threats. Fraudsters are continuously evolving and finding new ways to execute their attacks. Although detecting such fraud seems like a daunting task, there are some known best practices regarding ATO fraud detection.

Account Takeover Fraud ATO attack 3D Secure by TriDES

Account Takeover Fraud

Account Takeover Fraud (ATO) is happening when a fraudster uses somebody else's credentials in order to gain unauthorized access to an account and uses it to their own advantage. The fraudster monetizes the account by either transferring funds, making unauthorized purchases, or selling the account data elsewhere. The main problem of this particular type of fraud is that the credentials used for taking over one account are usually used to access multiple other accounts and cause that much more damage. This makes it distinct from card-not-present fraud, where only one relationship is endangered. A more detailed overview of account takeover fraud is available in our recent blog post.

How to spot an account takeover attack?

ATO fraud is an emerging type of fraud targeting customer's accounts with valuable information such as saved credit cards, private information, loyalty points, etc. In this way, the fraudster is able to monetize the account by either stealing the funds or the account data and reselling it on the dark web.

Account takeovers are extremely harmful to the business. Not only do they cause chargebacks and ruin their chargeback rates, but they have a detrimental effect on the company's reputation and customer loyalty.

Even though we are dealing with a type of fraud that is incredibly hard to detect, we gathered best practices regarding ATO fraud detection. Watch out for these telltale signs of an ATO attack, and protect your business and your customers.

1. Educate your customers and staff

Users and companies who have account-based websites are the prime targets for fraudsters. A common technique of taking over an account is phishing. For instance, the victim receives a legitimate-looking email containing a link leading to a familiar site that requires login. The unsuspecting victim enters their credentials, while the fraudster on the other side of the screen is harvesting their usernames and passwords. Regularly educate both your customers and staff regarding online security threats such as this one. Be proactive about security measures and implement best practices such as regular changes of user passwords and tips on how to protect user credentials.

2. Well-informed customer support staff

Fraudsters are no strangers to contacting the call center of a company directly in order to get more information about sensitive data necessary for login. Train your staff to ask questions that are specific, i.e.,  questions that only a legitimate account holder could know the answers to.

3. Multiple accounts having the same account details

When a fraudster takes over an account, their goal is to keep it. In order to do that, they need to change specific details necessary for the account recovery process, such as email or mobile phone number. If you notice multiple accounts having the same account details listed, e.g., mobile phone number, the chances of fraudulent activity are pretty high.

4. Monitor customer bahviour

By observing the account history, you are able to detect certain anomalies in customer behaviour. If a user suddenly spends an amount larger than the usual or places a suspicious number of orders in a short period of time, investigate further and see if any of the account details have been recently changed. If yes, that might indicate an ATO attack.

5. Implement backend monitoring

Another way of protecting your business and your customers is by implementing backend monitoring. Detect fraudulent activity regarding suspicious IP addresses and analyze timestamp data transfers. This enables you to identify whether a fraudster is trying to intercept any communication happening between the site form and the backend of the website.  

6. Multiple accounts – same device

Sometimes, fraudsters tend to be lazy and they don't mask their device data. They carelessly log in to multiple accounts, and the recorded activity shows the same device number, the fraudster's. Keep an eye on this one, but don't be alarmed too quickly because family members and work colleagues often share the same device. Look for more clues in order to make sure that you are witnessing an ATO attack.

7. Pay attention to device spoofing

Staying on the same topic, there are also fraudsters who mask their device data by using device spoofing. Usually, if they implement device spoofing, the device details show up as ''unknown''. There is a pattern where the victim's accounts are usually connected to more ''unknown'' devices than legitimate ones where you are able to see the exact device model. Look out for this one!

8. Multiple IP address countries

Following a data breach, multiple user credentials are published/purchased on the dark web. That also means that fraudsters are trying to log in to the user account using that fresh information. Since they can't possibly know the exact location of each customer, they also can't match their IP address country to fit the profile. Observe accounts that have an unusually high number of IP address counties connected to them. It is a sign of an account takeover attack.

9. Detect credential stuffing

As mentioned earlier, a data breach results in a multitude of user credentials ending up on the dark web. When fraudsters get a hold of those credentials, they use credential stuffing in order to quickly check if any of the purchased usernames and passwords actually work. This is done through checking for both technical and behavioural tracking of bot activity.

10. Fraudster behaviour

We mentioned the necessity to track customer behaviour, but if an attacker is behind the observed activity, we are talking about fraudster behaviour. The (un)fortunate course of events is pretty predictable, and it is the following:

11. Multiple accounts changing details at once

Upon taking over an account, fraudsters tend to leave the details untouched for some time. They gained access and will take care of the rest later. But if there is a notification sent to the user, alerting them about suspicious activity, fraudsters end up in panic mode. They rush to change details such as email and password in order to keep the stolen account. Track these changes triggered by a security alert. Password reset requests might soar.

12. Look out for suspicious loyalty program activity

Loyalty points are often overlooked by legitimate users and remain untouched. But one man's trash is another man's treasure. Fraudsters often target accounts solely because of loyalty programs. Stay alert and track if there is any sudden activity involving the use of loyalty points.

With Account takeover attacks, timing is crucial. It is extremely important to stop the attack in the earliest stage of the fraud lifecycle. By continuous monitoring of account history and customer behaviour, it is possible to detect anomalies and extract activities that do not match previous patterns. Mentioned best practices, accompanied by Strong Customer Authentication (SCA) and 3D Secure technology, promise the highest level of security.


Need help with 3D Secure? Contact us at [email protected] to get a free, zero-obligation consultation or try our DEMO to see 3D Secure in action.


Interested in TriDES2?

Subscribe to our newsletter
© Asseco South Eastern Europe 2021. All rights reserved
download linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram