In the merchant sector, accounts long ago shifted from being a nice-to-have option to a business necessity. Aside from the straightforward practicalities of allowing customers to store cards on file and delivery information, they can also provide consumer insights such as spending habits.
They are, in a word, valuable. Unfortunately, that value is recognized by others with more malicious intentions. Account takeover fraud (ATO) is one of the most persistent approaches favored by bad actors and the challenge of keeping them at bay is not getting easier. According to CIFAS in the UK, online retail is the most targeted product for ATO, due to many retailers offering credit before payment.
Whilst the direct cost of ATO may not be as high as chargebacks for example, the impact can still be felt. This blog will look at the broader repercussions ATO can have on e-commerce and digital services organizations, as well as how technologies to solve them have significantly advanced.
Tackling ATO means fighting on all fronts
Account takeover poses a number of risks for e-commerce and merchant businesses, including:
- Fake accounts: one use of customer data is to set up fake accounts using ‘real’ customer data. These may be used to buy products on credit to sell on themselves, all the while impacting the ‘real’ customer’s credit score and resulting in direct losses for the business. These accounts can also be used to build fake identities for further malicious intent.
- Fraudulent orders: once in, fraudsters have run of the house and are able to make fraudulent orders sent to accommodation addresses that are difficult to trace.
- Loyalty points and account credit theft: loyalty accounts protected by weak passwords are like fish in a barrel for fraudsters. Once in, points can be switched for cash or transferred to other accounts.
- Social engineering and scams: customer details can be used against them. Fraudsters can use this data to socially engineer customers, using the data to instill a false sense of trust with their victims and convince them to transfer funds.
- Sell customer data on the dark web: likely in conjunction with any other activity, customer data from email addresses to card details are a valuable commodity on the dark web, only fuelling other types of fraudulent attacks.
The ATO tactics of bad actors are evolving – rapidly. This is partly due to them being perennial early adopters; as soon as a new technology emerges, fraudsters and scammers are among the first to find weak points or loopholes to exploit.
As a result, organizations can often find themselves in a reactive mode, trying to shut down those new attack vectors as they become apparent.
Operational efficiency considerations around ATO solutions
On an operational level, ATO brings cost pressures in the form of investigations, on top of the rising costs of traditional authentication approaches such as OTPs – not to mention the costs associated with false positives which can drive customers away.
Because those costs affect multiple business units, the overall financial impact is often difficult to quantify or goes unreported. Just as the impact to brand and reputation can also be. Customers have little patience and are happy to shop elsewhere if they experience checkout friction more than once, or if their account is taken over, you can be certain they (and their friends and family) will take business elsewhere.
These challenges can then be compounded by the fact that departments and business units will have their own sets of objectives and KPIs, and finding a solution that fits in with each component of an exercise can be complex.
E-commerce, steaming and subscription businesses should be asking their acquirers and fraud vendors about their ability to meet these challenges, and where possible, bring other departments into the process. By working collaboratively in the selection process, the business is more likely to find a vendor that offers cross-departmental benefits.
The UX vs authentication quandary
For many e-commerce businesses, the concern is that any additional fraud controls often come with a UX overhead.
Customers place a high value on user journeys that are smooth, seamless, and friction free; the more authentication steps that are added, the more fragmented and frustrating those journeys become.
Many of these solutions such as SMS OTPs and passwords lead to extended checkout times, slow page loads and often OTPs aren’t delivered or are inputted incorrectly – all leading to cart abandonment.
In the end, a business can find itself dealing with unwelcome levels of customer churn.
This may have been a challenge in the past, but today technologies are both affordable and readily accessible. Solutions such as Callsign are digital first, designed primarily to protect against fraud such as Account Takeover (ATO).
The Dual Synergy approach to account takeover
When it comes to ATO, focusing purely on detection and staying in a reactive mode is not going to give sufficient protection against ATO to a business, or its customers.
The answer lies in adopting a hybrid approach, such as Callsign’s Dual Synergy model methodology. Callsign identifies genuine users via a digital DNA profile, a 1-to-1 model that works as a comparator for future behaviors. Simultaneously, Callsign also uses a 1-to-many model to detect fraudulent behavior, using industry-leading fraud data science models.
The user identification combines non-cookie-based device verification with behavioral insights such as keystroke dynamics that work passively in the background. With less onus on historic authentication such as OTPs, transaction times can be reduced as can cart abandonment.
This approach allows for robust scalability and flexibility, particularly around key events such as sales periods (black Friday or January sales). By taking a digital approach to solving digital challenges, elements such as UX, privacy and security are fully integrated into a solution.
Callsign can give businesses the ability to take the edge away from the fraudsters, keeping customers and their accounts safe and secure, today and in the future.