Stopping Account Takeovers in the Sharing Economy
In this blog, I’ll share a real story from an account takeover victim to demonstrate how brand reputation can take a hit when brands fall short of protecting customers’ accounts.
Around 111 million consumers use some type of peer-to-peer sharing platform. From ridesharing services like Uber and Lyft to talent platforms like Fiverr, the sharing economy is ubiquitous. Unfortunately, their popularity is not limited to good customers, but increasingly to bad actors as well. And many sharing economy platforms lack sufficient verification processes, so fraudsters are investing their time and effort into taking over the accounts of loyal users.
In this blog, I’ll discuss how to effectively keep bad actors out, without losing good customers along the way. I’ll share a real story from an account takeover victim to demonstrate how brand reputation and brand loyalty can take a hit when brands fall short of protecting customers’ accounts.
The state of fraud
Stolen ridesharing accounts can be even more valuable now than credit card numbers, selling for up to $30 on the dark web compared to $5 for credit card information. Nevertheless, most peer-to-peer sharing applications don’t request that returning customers verify their identity, beyond entering their password. On one hand, this is understandable. Businesses don’t want to create friction for good customers who own and use their accounts. But what happens when there is a suspicious login attempt?
According to a report released by PYMNTS, 35% of consumers on sharing economy applications were asked to confirm their email address (if it wasn’t used as the username) when logging back into their accounts. The next most common forms of verification for returning customers were based on phone number or to respond to one-time email or text alerts. But when verifying customers, merchants need to make sure they’re doing it in an effective way. They should have the capability to judge the risk of all account-based activities, and initiate an identity challenge when necessary. The story below highlights what happens in the aftermath of an attack when customers are left to deal with the fallout of having their personally identifiable information–PII– stolen. Details were changed for anonymity, but it is based on a true story of a Riskified employee.
Sara lives in Germany. Two years ago, she had to fly to Chicago for a business trip. While away, she opened an account with a ridesharing platform so that she could easily go from her hotel to her different meetings across the city. To verify and create the account, she used her personal email and a temporary U.S phone line that her company activated for the duration of the trip. She used her German credit card for the payment. Once she returned to Germany, she no longer had use for the app, but kept her account activated for future travels. A few weeks ago, Sara received an email from the ridesharing platform that there was a change of device and a change of password detected in the account. They didn’t suspend the account, they simply notified her of the change.
Because Sara no longer had access to the phone number initially used to verify the account, she couldn’t pass the two-step verification in order to enter into her account and take action to block or suspend it. There was no other verification method offered, so she was locked out of her account, with no way to get in and stop the charges. She immediately tried to contact customer service, but there was no phone number listed, only a help form. She filled out the form with her contact information and hoped they would be quick to respond. Hours went by and nothing. Meanwhile, Sara’s inbox was getting flooded with receipts, ride after ride. 72$ for a ride in Brooklyn, NY, 56$ for a ride in Detroit, MI, 89$ for a ride in Miami, Florida, all taken with the highest riding cost option on the platform. Even worse, the fraudster was quick to take advantage of her account and share the details with others across the country. But for the platform, no red flags were raised.
Luckily, Sara’s credit card company called. They quickly noticed the sudden charges from cities across the U.S and called her to inquire if she was authorizing them. Sara explained that the charges were in fact fraudulent and that her ridesharing account had been compromised. Still with no answer from the ridesharing platform, she was left with no other option than to cancel her credit card with the bank. Within minutes, she received another receipt, this time with a note saying: We were unable to charge your card ending in ***90. Please update your payment information. The fraudsters were still taking rides, and the platform was letting them do it with a cancelled card – they still hadn’t detected the account takeover.
Over 48 hours and 9 charges later, she finally got a call from customer support. Sara explained that she had tried to contact them when she first noticed the activity in her account. She told the agent that she lives in Germany and had never been to any of the cities listed in the charges. The agent asked her if the phone number associated with the account started with 781. Sara didn’t recognize the number. The customer support agent explained that the fraudsters must have changed it to match their own.
The agent updated the account information to match Sara’s so that she could finally enter her account and change her password. At this point, Sara wanted nothing to do with the brand again. Not only were they too late to respond, they didn’t block the account or offer additional verification methods after an account that hadn’t been used for 2 years, experienced a surge of 9 rides from cities across the country. Not to mention a string of device, password, phone number, and credit card changes.
Detecting ATO attacks
Unfortunately, Sara’s story is too often the experience of customers who have had their accounts compromised. Of the customers who have been victims of an ATO, only 7.5% said they were contacted about the ATO by the merchant. The other 92.5% learned about it from their credit card company (36.3%), received an order confirmation (26.3%), saw the unauthorized purchase on their account (16.9%) or had their account details or password changed (13.1%). That’s a really bad customer experience. To make matters worse, ATO victims spend an average of 15 hours resolving the fraud. In Sara’s case, she had to deal with a cancelled credit card and updating all of her accounts linked to the old card. So how can businesses catch bad actors before the damage is done?
It all starts with accurate decisioning. Collecting and analyzing data about users’ online behavior in real-time and comparing it to customers’ past behavior is the key to detecting ATO attempts. For example, by linking every account event to their previous transactions, merchants can better recognize legitimate customers and bad actors. But like in the case above, identifying the attacks isn’t enough. To successfully manage this type of fraud, merchants need to determine when and how to block bad users, notify customers of suspicious login attempts, or request additional verification. We recommend email verification for risky logins. And not just a notification that there’s been a suspicious login attempt. Consider requiring the recipient to take some action like indicating that they recognize this attempt (providing yes/no buttons).
It all comes down to trust
Consumers value sharing as a more convenient, affordable, and enjoyable option than traditional service providers. There’s no doubt that peer-to-peer sharing applications have made our lives so much easier. And the trust that users have put into them is key to what has made them thrive. The verification process will ultimately either make or break that trust. If merchants manage the security of customer accounts well, they’ll showcase their commitment to customer loyalty and lifetime value. If they fall short, merchants will see brand reputation take a hit. To learn more about Riskified’s ATO prevention solution, contact firstname.lastname@example.org.