Handling Holiday Horrors: Account Takeover Fraud

Published by BMT Micro on


Fraud can truly be a horrible nightmare for online businesses, especially as the holiday season approaches. The season is almost always the most profitable time of the year for online businesses. Unfortunately, with more than $3.5 billion lost to online fraud each year, it is also a prime time for fraudsters to attack.

As we mentioned in our previous blog, Fighting Holiday Fraud, this year will be the first holiday season where customers and retailers nationwide use EMV and point-of-sale systems. As in-store precautions are strengthened and digital sales increase, more fraudsters are shifting their focus toward online businesses. One new post-EMV attack strategy that is becoming increasingly popular is Account Takeover. This type attack can be dangerous to an online business, and between 2014 and 2015 increased by 112% (NuData).

What is Account Takeover Fraud?
According to CardNotPresent.com, “Account Takeover (ATO) is the term used when a fraudster uses a legitimate customer’s credentials to log on to their account and make purchases. In some cases, the customer’s stored payment method is used, while in others, the fraudster is using the account to make the purchases appear legitimate.”

Account takeovers have traditionally been very hard to detect because fraudsters operate from within a genuine and trustworthy user account. Fraudsters can buy login details from the black market, steal them through malware or phishing attacks, or use a list of the most common passwords to crack a customer’s account. In most cases, neither the account user nor the online business realizes what is happening before it is too late and damage is done.

How To Prevent Account Takeovers
In order to prevent account takeovers, online businesses must be able to identify high-risk users during account creation, flag suspicious account changes, and monitor suspicious purchasing behavior. For instance, to minimize the risk during account creation, a business should implement a two-step authentication process for added security. This makes it difficult for fraudsters unless they have access to both accounts.

This is why it is also important to look for and flag suspicious account changes. For example, was the customer’s email address changed recently? Was there a change of address immediately before ordering? Fraudulent activity can be indicated in ordering patterns too. Is a customer suddenly purchasing an unusually high volume of merchandise? Other red flags include login attempts from different devices and places, an unusual amount of failed attempts, a change of operating software, or attempting to log in via a proxy server or VPN. These alone are things that can be considered harmless, but they can point to the fact you might have a fraudster on your hands.

Keep in mind; fraudsters capitalize largely on the fact that most people don’t use different passwords for different web services. So, it is also crucial to require a strong password for customer’s accounts.

What To Do If Your Customer’s Account is Taken Over:
1. Lock down the account: When an account has been compromised, your top priority should be to make sure the account has been locked so the fraudster cannot make additional purchases.
2. Check for Account Changes: It is important to check the account for any changes that have been made recently and provide customers with additional options for account verification.
3. Have a Written Policy: You will need to have set guidelines and standards for verifying identities and reversing fraudulent orders. This will be different for every business.

The account takeover method is growing quickly, so protect your hard earned revenue this holiday season by monitoring the account information entrusted to you by your customers.

Here at BMT Micro we can also help your business with handling holiday horrors like account takeover fraud. We strive to be an e-commerce company where customers can rest assured their information is and will always be protected. We also want our vendors confident in the knowledge that with the right level of fraud protection, it will decrease the likelihood that their product will be taken advantage of or fraudulently used. Our state-of-the-art fraud detection system automatically screens orders and puts questionable orders through a manual approval process. Plus, all BMT Micro servers are fully secured and host all shopping carts using the highest encryption standards available.

We continually make sure that online security measures remain a priority. If you have questions or concerns about your current fraud prevention or if you are interested in learning more about BMT Micro’s offerings please contact our vendor services at vendors@bmtmicro.com.

Leave a Reply

You have to agree to the comment policy.