We recently completed a survey of about 4,000 customers and 425 merchants to get their thoughts on Account Takeover attacks (ATOs), and, well, the headline of our just-published press release says it all: Account Takeover Attacks Are an Enormous Vulnerability for Which Many Merchants Are Unprepared.
Despite the amount of virtual ink that has been spilled discussing ATOs and their impact in recent years, we found a surprisingly large percentage of merchants aren’t taking them seriously, with 27% of all merchants reporting that they don’t have measures in place to prevent them. That may explain why 35% of merchants report that at least 10% of their accounts have been taken over in the last year. These are big, scary numbers, but they don’t come close to capturing the full impact.
Let’s take a step back. We all know that ATOs are when a bad actor gains access to a legitimate customer’s account and uses it for ill, but what happens next? If you’re a merchant, the answer is often “chargebacks.” Fraudsters love ATOs because they’re difficult to stop, so merchants with an ATO problem now will have a chargeback problem very soon. But that won’t be the end of it.
Here’s what happens after your account is taken over if you’re the actual account holder – nothing. The fraudster has accessed your account and may be using your stored payment methods to place orders. And you have no idea. Of the customers who have been victims of an ATO, only 7.5% said they were contacted about the ATO by the merchant. The other 92.5% learned about it from their credit card company (36.3%), received an order confirmation (26.3%), saw the unauthorized purchase on their account (16.9%) or had their account details or password changed (13.1%).
That’s a really bad customer experience. It’s no wonder then that ATOs continue to have an impact down the line. Sixty-five percent of customers say they would likely stop buying from a merchant if their account was compromised. More than half (54%) of customers say they would delete their account, 34% would go to a competitor, and 33% say they would tell their friends to stop shopping with the merchant.
Which would you likely do if your store account was compromised?
The costs are huge, but ATOs are difficult to prevent effectively. Because merchants are working with a login and a password – and not the items purchased and billing and shipping details, for example – it’s a tough decision based on limited information. And merchants don’t want to upset or inconvenience account holders. Sixty-four percent of merchants say that at least half of their orders come from account holders, and those account holders spend more (according to 58% of merchants) and shop more frequently (according to 61% of merchants) than guest checkout users.
What share of purchases at your store are made through store accounts?
So what’s a merchant to do? Take as much information as possible into account and – more importantly – don’t view the account action as an isolated event. Using as much information as possible is clear. We talk about that all the time. Check device and network details, proxy usage, previous logins. Use all the data points that can help determine in real time if the person accessing the account is the legitimate account holder.
It’s not a sprint. But it’s not quite a marathon either. It’s a marasprint.
But the more important piece of this is that merchants can view ATOs over a longer term than just the account event. The ATO isn’t the end goal. Successfully placing the order and getting the goods is the goal, and merchants can work with that in mind. If a valuable account is accessed with an unfamiliar device, merchants don’t necessarily need to issue a hard verification and inconvenience the shopper. They have the luxury of seeing what happens next. If that “suspicious” login ends up with a safe cart shipping to a known address, then the merchant can safely approve the order and recognize that unfamiliar device in the future.
If, on the other hand, a merchant views an account activity as safe, but that “safe” account activity is followed by unusual shopping activity and a risky cart, the merchant can ask the shopper to verify their identity, preventing a chargeback and salvaging the customer experience. That end-to-end approach and the feedback loop afforded by viewing transactions from start to finish is invaluable in increasing accuracy. It’s also why it’s so important for merchants to make sure that their teams and solutions are connected and communicating.
When Riskified expanded to become more than just a fraud solution, protecting merchant accounts was one of our earliest priorities – for exactly this reason. Having those solutions work in tandem is not just additive but multiplicative. Gathering all that information and making truly informed decisions lets us maximize merchant revenue, minimize risk and chargebacks and help deliver an excellent, secure experience to our clients’ customers.
There is plenty more to come from our ATO survey. To learn the full scope of the data, please join our webinar on June 16th at 11:00 a.m. Eastern. You can also find our North American press release here, along with French and German. Finally, we have an infographic that brings some key findings to life.