How Merchants Can Rapidly Confront the Account Takeover Crisis

This is Part I of a series that examines the Account Takeover (ATO) crisis at both banks and merchants. First up: the impact that ATO is having on merchants.

It’s not news to anyone that ATO fraud is surging. According to Javelin Strategy and Research, in 2016 losses from ATO fraud were $2.3 billion. In 2017, that number more than doubled to $5.1 billion, representing 30% of the total of $16.8 billion in fraud losses. Behind these numbers, there’s a lot of hurt people, with account credentials that have suddenly stopped working.

That’s because their credentials have been stolen. Almost every ATO occurrence can be traced back to a data breach. In 2017 alone there were 2.6 billion records breached, or 82 records every second (an increase of 87.5% compared to the previous year). Fraudsters are using ingenious tactics to commit these breaches. In one case, fraudsters even managed to gain access to Target’s data through one of their HVAC vendors; essentially entering through their vents.

From ATO to payment fraud

Credentials from these data breaches are treated like any other precious resource: they are mined, refined, aggregated, and sold. Credentials are often mined from massive online data breaches. Breaches similar to Equifax (where 145 million+ records were lost) or Yahoo (3 billion+ records were lost) provide a gold mine for criminals looking to commit ATO fraud.

However, breaches are not the only way to gain control of account credentials. Other strategies can be employed to catch good consumers off-guard and take control of their accounts. These strategies include (among many sophisticated techniques):

  • Honeypots: Purchasing domains with similar names to the domain that a customer is trying to access in order to trick a customer into entering their credentials on a malicious site (e.g. gooogle.com when the customer is trying to access google.com).
  • Social Engineering: Tricking customers or company representatives into taking control of their account credentials (see a hacker take control of an account using social engineering)
  • Trying Common Passwords: Often hackers will try a list of commonly used passwords in order to gain access to an account


Once the account is in the criminal’s control, it can be refined and listed onto dark web marketplaces. This data is either sold individually or in aggregate with price determinants variables like credit score and account balance. On these dark web marketplaces, fraudsters can easily purchase:

  • A Social Security Number for $1
  • A general non-financial institutional login for $1
  • Online payment services login info for $20-$200
  • A loyalty account for $20
  • Credit or debit cards for $5 with a CVV2 number, $15 with bank info, or $30 for an account with an SSN, birth date, and relevant account numbers


The ease of access to credentials is fueling the dramatic increase in ATO fraud. This is, in turn, triggering a rapid increase in payment fraud. Fraudsters regularly steal trusted customer accounts to better conceal stolen credit/debits cards.

The anatomy of an ATO attack

Fraudsters are determined criminals who will do everything they can to monetize their investments. After they steal credentials, the ATO follows quickly. Retail ATO typically starts with unusual login attempts after a data breached is dumped. Account attributes such as shipping address, zip code, email address, and phone numbers are often updated following the login attempts. Then the chargeback occurs. Most merchants are left dizzy, unable to keep up with the pace of the fraud scheme.

Once fraudsters take over accounts and commit ATO fraud, they rapidly evolve their tactics, become more sophisticated, and present patterns that are increasingly difficult to detect. Fraudsters typically move through three distinct patterns of ATO to generate as much income as possible:

The Basic Pattern

  • The fraudster uses the same customer details, but uses a reshipper address
  • They commit multiple ATO attempts and ship to the same address
  • Often they try many different credit and debit cards on the account; and as a result, often multiple failed attempts are recorded


Improving on the Basic Pattern

  • The fraudster updates the billing and shipping address to match
  • The fraudster updates the credit and debit cards billing address to ensure AVS matches the shipping address
  • The fraudster takes over the customer account with their own identity, often changing the name on the account


The Real Pain

  • The fraudster updates the account so that its only remaining original attribute is the customer ID
  • At this point, the account belongs to the fraudster as a real person, which makes it extremely difficult to detect, and almost identical to a healthy account


Identifying the signatures of ATO fraud

Our machine learning platform was purpose-built to stop retail fraud, and that includes ATO. We’re only getting better at identifying the common markers of ATO fraud as they manifest in real time:

  • Multiple user accounts per billing email, shipping address or credit card
  • User account country different from the shipping country
  • If the user account zip is not null, the ATO will have the user account zip code mismatch billing and shipping zip code
  • Several card attempts from different countries
  • Known reshipping address
  • Shipping name will be similar to the shipping address (e.g. shipping name is John Smith and the shipping address is John Smith 2000)


Over the years, Feedzai has prevented multiple ATO attempts that would have been devastating. In one case, we were able to stop an ATO attempt that would have caused a merchant losses of $600,000 in just four minutes. What made this case particularly special was that the fraudster was using a bot in conjunction with 84 unique accounts in order to deal a large amount of damage at superhuman velocity. Feedzai was able to detect that the fraudster was using:

  • 84 user IDs
  • 84 phone numbers
  • 66 credit cards
  • 58 shipping names
  • 50 shipping addresses in 6 shipping cities


Feedzai stopped the attempt right in its tracks, and all without disrupting any valued customers’ transactions.

How we do it

Feedzai has a platform that allows for rapid iteration and deployment of increasingly accurate models. It creates Segment-of-One™ Profiles that compute behavioral profiles for every entity in the system, storing them in memory across different timescales – the last three years, three months, three milliseconds – and pinpointing anomalies in the moment. And it has the most advanced real-time processing capabilities for precisely handling ultra high transactional volume at ultra low latency.

Our platform ingests omnidata and adds enrichers to connect the dots using graph-based link analysis and build a complete view of the agent behind the account. We deploy behavior learning of user context, behavior, and action to score transactions in milliseconds. And we perform deep link analysis to discover the hard-to-link fraud events and behaviors that lead us to the fraudulent user.

The end result is that we stop ATO in its tracks. And because the fraudster is constantly improving, we have to constantly improve too. We dynamically update rules and ATO strategies in seconds to test new fraud patterns, and we implement changes in minutes.

RELATED:
THE FUTURE IS NOW: Q1 2018 FRAUD TRENDS REPORT
THE NEW THREATS POSED BY THE EMERGING FRAUD ECOSYSTEM