In 2019, the average American had 27 online accounts that require passwords. Today, that number is likely even higher — as Covid forced the world to shut down, it sped up digital adoption, forcing people to become more comfortable with conducting transactions online out of pure necessity.
The move to digital has made many tasks more convenient (why visit a physical bank when you can open an account or deposit a check online?). However, it has also opened up more opportunities for fraud — in particular, account takeover fraud.
Like most types of fraud, account takeover fraud doesn’t just impact your customers — it can also impact your business reputation. In this guide, we’ll cover everything you need to know about account takeover fraud, from what it is, to why it’s so serious, to how to protect your business and customers.
What exactly is account takeover fraud?
Account takeover (ATO) fraud is a type of identity theft where a bad actor poses as a genuine customer to gain control of (take over) an online account, make unauthorized transactions and changes, and/or sell the verified credentials.
ATO fraud is especially serious for two reasons:
ATO fraud is hard to catch.
With credit card fraud, it’s easy to log into your account, notice fraudulent charges, and dispute them. Many credit card companies even keep an eye out and proactively alert you of suspicious charges.
ATO fraud is much trickier because once bad actors log into your account, they often change the account information (username, password, email, etc.) so you won’t be notified and can no longer log in and see what’s going on. Because of this, Javelin reports that it takes the average ATO victim around 16 hours (and $290) to resolve account takeover identity theft.
Account takeover scams are also hard to catch because a lot of the actions bad actors take are often ones legitimate users take. People move and get new phone numbers all the time, so it can be hard to tell when someone malicious has taken control.
ATO fraud can span across multiple accounts.
According to Google, around two thirds of consumers reuse passwords across accounts. This means once a fraudster gets into one account, they may be able to commit identity theft across other platforms.
For example, if a bad actor takes over your bank account, they may be able to access your email, mobile wallets, airline rewards, government benefits, social media accounts, and more. And if that isn’t scary enough, they may also be able to glean different pieces of information (birthday, address, answer to security questions, etc.) and take over even more accounts or create new accounts as “you.” And just like that, the fraudster now has the keys to dozens more accounts. With just one set of credentials, your entire online persona can be hacked and transformed before you notice there’s anything wrong.
Account takeover identity theft is also common today because virtually every app or website is accessible via the “sign in with Facebook” button, meaning one username and password combination often unlocks dozens more. And while password managers like 1Password or Okta eliminate the necessity of remembering various passwords, the solution is still, simply, a password — a static identification metric that is easily compromised.
How common is ATO fraud?
In 2019, Javelin wrote that “fraudsters have turned their attention to opening and taking over accounts.” Unfortunately, ATO fraud is on the rise, and the statistics aren’t encouraging:
- ATO grew 282% from 2019 to 2020.
- 64% of financial institutions are seeing more ATO fraud attacks than pre-Covid.
- ATO likely causes anywhere from $5 billion to $25 billion each year in fraud losses.
- According to Verizon, the number one way criminals gain access to accounts is through stolen credentials, with 29% of all breaches using stolen credentials.
How does account takeover fraud occur?
Whenever data breaches occur, the information stolen — which often includes usernames and passwords — often gets sold on the dark web in bulk to fraudsters. Some sources estimate that there are 15 billion credentials on the dark web — which makes sense given 1.5 billion records were exposed in the United States in 2019 alone. Alternatively, some criminals use malware, phishing, fake websites, or man-in-the-middle attacks to obtain user credentials.
After getting a hold of this information, bad actors often use bot attacks and credential stuffing tools to quickly verify the stolen login credentials — sometimes making it look like their login attempts are coming from different IP addresses to bypass security systems. According to Forter, “bots are capable of performing upwards of 100 attacks per second, making it easier and faster for fraudsters to commit nearly limitless account takeover.”
Why does account takeover fraud matter to my business?
When fraudsters perform account takeovers, they usually attack personal — not corporate — accounts. However, ATO fraud could cost your company money as well. For example, if the affected user disputes the fraudulent transactions, you may be held liable. In fact, US businesses lost around $5 billion in 2017 due to account takeovers.
Additionally, ATO fraud incidents can damage your reputation and make it hard to attract and retain customers. Trust is arguably the most critical commodity for consumer companies today. If that line of trust is broken, you’re not just losing money — you’re losing future customers and brand loyalty. According to Twilio, 86% of consumers said they’d stop using a business if their account was compromised.
How can I prevent account takeover fraud?
It’s clear that passwords aren’t enough to secure accounts… and neither is knowledge-based authentication (KBA) for that matter, as answers to security questions are often leaked and/or researchable.
Don’t wait until you see a bunch of chargebacks, transaction disputes, unsuccessful login attempts, password reset requests, and unfamiliar transactions. While account takeover prevention probably isn’t completely possible, there are a few ways you can protect your business and users. The key to account takeover protection is implementing multiple security measures, including:
Practical account protection measures
There are a few practical measures you can enforce, such as:
- Requiring new users to create strong passwords
- Offering and encouraging multi-factor authentication
- Limiting a certain number of login attempts within a set time period
- Notifying users about account changes and requiring them to verify each change
Establishing a baseline
If you know how your customers usually act, it may be easier to spot abnormalities. Have your system alert you of suspicious activity, such as if multiple accounts suddenly change their details, log in using unknown devices, or begin logging in using the same device.
Of course, this isn’t a foolproof means of protecting your business — someone sending their purchase to another address could just be sending their loved one a gift, and multiple accounts from the same device could indicate a family really loves your company. However, it never hurts to investigate.
The problem with ATO fraud is it’s hard to tell who’s behind the screen, i.e. if the person trying to log in and make changes is really who they say they are. This is why it’s important to verify identities both when someone is opening an account and when they want to take a major action, such as withdrawing money or changing a password.
At Persona, we offer identity infrastructure that allows you to build the ideal solution for your specific use cases and customers, helping you verify and reverify real users while deterring bad actors. Our solution is:
- Holistic: We offer one of the industry’s widest ranges of verification components, allowing you to verify identities however you want — whether that’s via government IDs, biometric selfies, authoritative databases, reports, third-party signals, or all of the above.
- Customizable: Your business is unique, so your risk tolerance and approach to keeping customers safe will differ from every other business. With Persona, you can tailor everything from the look and feel of the verification experience to how many times users can attempt verification.
- User-friendly: We built Persona with your end-users in mind. Identity verification can be intimidating, so we walk them through the process, use auto-capture to minimize errors, and make it easy to switch devices. Best of all, most verifications take around five seconds, so it won’t add a ton of friction and scare them off.
Want to learn more about how Persona can help protect your business and customers from account takeover fraud? Contact us, and we’d love to chat.