iovation has seen a 220% increase in reported e-commerce account takeover (ATO) attacks over the last 12 months. Why the big jump? Fraudsters have become more sophisticated in their attack methods. They are using social engineering, bots, and phishing attacks, to name a few methods.
With this alarming increase in ATO, e-commerce companies are more vulnerable than ever to damaging customer relationships, destroying brand reputation and did we mention chargebacks? What is the solution? How can you stop and prevent ATO?
Join Angie White, e-commerce fraud expert at iovation, as she deconstructs the rise of ATO and the impacts on your business. She will dive into why device reputation matters and how implementing a customer-friendly authentication solution is key to a successful fraud-prevention strategy.
Key takeaways:
- The impacts of ATO on the e-commerce industry
- ATO attack methods and trends
- How to prevent and stop ATO
- How to balance customer experience with fraud prevention
5. 5
IMPACTS OF ATO ON E -COMMERCE
Loss of brand reputation
Regulatory non-compliance
Damage to customer relationships
Cost of lost goods and chargebacks
6. The cost of ATO fraud tripled
last year, reaching an estimated
$5.1 billion in the U.S.
1
Identity theft victims hit
16.7 million in 2017.
6
Fraud isn’t Just a Business Problem.
It’s a Customer Experience Problem
E-commerce chargebacks due
to fraud are expected to reach
$30 billion by 2020.
3
False declines are valued
at $118 billion per year.
2
Consumers spend 16 hours on
average resolving issues after
their account is taken over.
4
44% of shoppers said they will
never buy from a retailer again
after a data breach.
5
Business Impact Consumer Impact
Source: 1 2017 SalesCycle Report ; ² MasterCard targets rising number of false declines; 3 TotalRetail 5 Ways E-Commerce Merchants Can Combat Identity Fraud; 4 Javelin 2018 Identity Fraud: Fraud Enters a New
Era of Complexity; 5 TransUnion 2018 Retail Consumer Survey Insights; 6 2018 Identity Fraud Study, Javelin Strategy & Research
7. 7
ATO ATTACK METHODS
Phishing Attacks
Credential Stuffing
Social Engineering
Malware, Bots,
Spyware
Data breaches were up 45% in 2017
Source: Identity Theft Resource Center 2017 Annual Data Breach Year End Review
SIM Swapping
9. 9
SYMPTOMS OF AN ATO ATTACK
Use of VPNs or proxy servers
Using an older browser or operating system
Geolocation mismatches
High velocity of login attempts from one device
Changing account details such as ship to address
10. 10
REAL COST OF AN ATO ATTACK
2,500ACCOUNTS
$75K
WAGES
$$$
BRAND
REPUTATION
5,000
MAN HOURS
TO REPAIR
O n e
D e v i c e
$5,000
CHARGEBACK
S
Source: iovation Customer Case Study
15. 15
v Or this much assurance?Do you need this much
assurance?
Σ Risk mitigation by authentication challenges = (Probability of compromise) x (impact)
17. 17
ATO Case Study
Attack
Method
Social engineering
through dating sites
Business
Losses
• Thousands in lost merchandise
• Payment chargebacks
• Lost revenue from service
cancellations
• First attempted auth solution
resulted in increased call center
volume and complaints
Benefits
• Stopped account takeovers
• Improved login experience
increased customer satisfaction
• Reduced call center volume
18. 18
DEVICE-BASED
AUTHENTICATION
Transparent
and Frictionless
• SIMPLIFY access for good users
• LOWER barriers to usage
• IMPROVE customer experience
Context and
Risk
• UNDERSTAND context around device
• SEE risk indications before it’s too late
• DETECT attempts to evade recognition or
mask identity
Adaptive and
Dynamic
• DYNAMICALLY react to changes in risk
• DELIVER the right level of assurance
• MINIMIZE account takeovers
19. 19
s
U N I F I E D , S I M P L I F I E D A N D P E R S O N A L I Z E D M F A F O R A N Y M O B I L E A P P
LAUNCHKEY
20. 20
LAUNCHKEY
A U T H O R I Z A T I O N C A P A B I L I T I E S
Real-time authorization
Single-party or multi-party
Web or call center offline workflows
21. 21
MFA
BENEFITS
Simple, Unified
Experience
• UNIFY experience across all touchpoints
• REDUCE friction from multiple experiences
• IMPROVE usability with every login
Secure by
Design
• REMOVE credential stores that can be
compromised and exfiltrated
• LOCK DOWN with top grade cryptography
• ALIGN with standards like OAuth and OpenID
Customizable
for Any App
• WHITE-LABEL functionality
• BUILD FAST with APIs for any platform
• CHOOSE from a number of interactive or
passive authentication options
22. 22
COMBATING ATO
Automated Screening: Relying on the Right Set of Tools
Use the device as the 2nd Factor of authentication and challenge only when necessary
Give Customers Confidence to Purchase
Provide the account protection that customers demand without adding friction
Working with Peers to Stop Known Threats
A shared intelligence source to stop known fraud across industries and geographies
Importance of Protecting Against Account Takeover
Recognise and assess risks currently unseen at device level in real-time
24. Join the chargebacks experts, Chargebacks
911, and fraud experts, iovation, as we discuss
combatting 1st party chargebacks and 3rd party
fraud without increasing false positives.
YOU’LL LEARN ABOUT:
• Problems that arise during the chargeback
process.
• The importance in utilizing fraud systems
pre- and post- transactions.
• Providing defensible evidence to win
chargeback disputes.
• Identify and stop repeat 3rd party fraud
offenders.
• Combining the power of iovation and
Chargebacks 911 to mitigate overall losses.
Date: February 12, 2019
Time: 10 AM PST
Register
Keeping Your Fraud Prevention Resolutions
Editor's Notes
Thank you Wendy, and thank you to everyone for joining us today. We appreciate you taking the time, I know this is a really busy time of year for most. This is a really interesting topic. Account takeover isn’t a new phenomenon, it’s been around for years but it’s rapid increase in e-commerce is newer. So today we’re going to look at what are some of the drivers of this increase. How do criminals infiltrate accounts and what can you do to better protect customers without degrading the shopping experience.
Before we do that, let’s just level set on the definition of account takeover, or ATO. Account takeover is when a known, good customers account is breached for the purposes of committing fraud. Account takeover, as I said before, is not a new phenomenon, this is something online banks, credit issuers and even gaming sites have dealt with for years, but it historically hadn’t been a large problem in e-commerce. Until recently.
We were hearing from a number of our retail customers that this was a growing problem for them, so we looked at confirmed fraud reports for account takeover in e-commerce from August 2017 to August 2018. In that period we saw a 220% increase.
So why the big increase? To begin with Retailers are moving away from guest checkout, adding persistent accounts and dedicated apps to meet rising customer expectations. This brings a lot of benefits, allowing retailers to expedite the checkout process and gives more identity assurance. It also had the unintended consequence of opening the the door for account takeover.
Recent report found that Retailers that have both mobile sites and apps are seeing, on average, two-thirds of their online sales coming from mobile devices, 44% in-app and 23% from mobile web and the remaining 33% from desktop. It also found that conversion rates are 3x higher for mobile apps than mobile Web. With such high conversion rates, you’ll likely see that more retailers are going to be launching dedicated apps. Creating a new target for cybercriminals.
Source: https://marketingland.com/retailers-shopping-apps-now-see-majority-e-commerce-sales-mobile-234931
The impacts of ATO reach far beyond just the cost of the lost good and chargebacks. It can cause lasting damage to customer relationships, loss of brand reputation with current and future customers and could also put you into non-compliance with many new regulations such as the GDPR and PSD2.
Let’s dig into some of the costs of ATO both from a business and customer perspective. I think one of the most interesting points is that it take consumers an average of 16 hours to resolve issues after their account is taken over. That’s a lot of time for busy shoppers to have to devote to proving that they’re not a criminal. Which is why it’s not surprising that 44% of shoppers said they would never buy from a retailer again after a data breach.
You need solutions that simultaneously:
Increase security
Establish confidence
Provide outstanding online experiences
55% of respondents said additional identity validation requirements during the checkout process is viewed positively and makes them more likely to continue their purchase.
At least 16 separate security breaches occurred at retailers from January 2017 until now. Many of them were caused by flaws in payment systems, either online or in stores. - https://www.businessinsider.com/data-breaches-2018-4
Data breaches were up 45% in 2017, with the flood of stolen credentials and personal data available on the dark web fraudsters are using that data to perpetrate ATO through a variety of tactics.
Credential Stuffing - According to Verizon’s 2017 Data Breach Investigations report the number of data breaches involving stolen or weak passwords has gone from 50 per cent to 66 per cent to 81 per cent during the past three years. This alarming trend clearly illustrates that today’s security isn’t working. Source: https://www.cso.com.au/mediareleases/29642/hacked-passwords-cause-81-of-data-breaches/
Social Engineering - Case study on ATO: https://drive.google.com/file/d/1G4C0IqUSTUsIm4oYLk0plsqPbMy7SB7P/view?ts=5b906058
SIM Swapping – Recent
As you can see there is a very close correlation between rising consumer complaints about fraud and ID theft and data breaches
2500 accounts accessed from a single device
Those 2500 accounts had made us 50k in revenue before the attempted compromise
If those accounts had been compromised
1 account to process emails and return to its "original state" and keep the customer happy equaled 2 hours of work
2 hours of work x 15/hour = $30
$30 x 2500 accounts = $75,000
We would have received chargebacks and lost revenue had we been unable to stop the attacks even if we returned the accounts back to their "original" state
Brand Reputation - In terms of customer trust lost and brand damage, ATO can be a nightmare for companies. Collectively, victims spent 20.7 million hours resolving ATOs in 2016, according to data from Javelin Strategy & Research.
You’re challenge is stopping ATO without deteriorating the customer experience and thus increasing cart abandonments.
WordStream’s conversion rate analysis gives an overall conversion rate of 2.35%. However, the top 25% of companies convert at 5.31% and the top 10% at 11.45%.
In a well designed system you can incorporate risk signals to tailor the level of authentication to the riskiness of the transaction. So for instance if a customer is logging in from a known device and just wants to view their balance, that’s a low risk transaction. But if the same customer want logs in from a new, unknown device and wants to transfer $10,000 out of their account; that’s a much riskier transaction. This is why risk insight is so important. Not only will it allow you to apply the right level of authentication based on risk-insight, it’ll also help you create a better user experience.
Device based authentication isn’t reliant on personal data that has likely been breached, and is very low friction for customers.
Refer back to case study
Stops fraud in real-time based on context, behavior, location
Device, account, and fraud reports across subscriber and industry
Global view of fraud
Search & reporting for assisting with fraud forensics
After initial integration, fraud rules can be easily modified without additional coding
MFA used three factors:
Knowledge factor – something you know, i.e. a password, the PIN for your ATM or a knowledge based question
Possession Factor – something you have
Inherence – Something you ARE, i.e. facial recognition, my thumbprint, the way heartbeat
Do you want to have to manage these different factors within different systems, or would you rather drive all authentication through one fully configurable experience
We’re still missing a piece with all of this, the customer. So how can we make this all easier on the customer?
ATO occurs when a fraudster exploits a customer’s personal information, stored with a merchant, to take control of an existing account or establish a new one, and then uses the account to make unauthorized transactions. Look for retailer with recurring or subscription payment.
Automation
Finding the right tools to automatically screen for fraud is key to achieve the right balance among minimizing losses, maximizing revenues, and controlling costs. Businesses can lower their fraud losses by deploying accurate, automated detection, and avoid unnecessary overhead by saving manual review for only the most ambiguous orders. During the automated screening process, a combination of tools—including validation services, proprietary data, multi-merchant data, and device tracking—is typically applied to determine the likelihood of fraud.