When we assess the potential damage of online fraud, there is the standard card not present (CNP) fraud, and then there are account takeovers (ATOs). When fraudsters gain access to your customers’ accounts, they obtain valuable information, and the fraudulent transactions they go on to commit are much harder to detect and stop. ATOs hurt merchants’ brand and their bottom line because they target their best, most loyal customers, driving a wedge between them.

Earlier this year, Riskified commissioned a survey of nearly 4500 participants to gain insights into the negative impact ATOs have on both customers and merchants. Despite the increase they recorded in ATO attacks—more than one in three (35%) merchants reported that at least 10% of their accounts had been compromised in the last 12 months—many merchants do not have the necessary safety measures to fend off such attacks. 

Our report, The Login Dilemma: Shopping in the Age of Account Takeovers, provides an overview of the ATO phenomenon, unpacking why such attacks are on the rise and sharing notes from Riskified’s research into popular tactics and MOs. You’ll also find actionable insights that reveal how online shoppers truly feel about store accounts and loyalty programs, their security expectations, and how they react when their accounts are compromised. Finally, we share tips for protecting store accounts and making accurate decisions at the first point of contact: the login.

Here are some of the topics we cover in our report.

How do fraudsters obtain those valuable login credentials?

ATO attacks require another layer of fraud on top of a standard CNP: a bad actor must gain access to a legitimate customer’s eCommerce store account. One popular way in which fraudsters get a hold of credentials is via phishing attacks. These are easy to execute, cheap, and effective—once you get a knack for it.

Phishing specialists manipulate and trick account holders—in some cases, even customer service representatives—into surrendering credentials. One of the schemes we’ve seen involves creating a mockup of a popular site, like Amazon.com, and prompting users to reset their passwords. Kits for creating such mockups are sold on the dark web

How do customers and merchants feel about ATOs?

Our survey results leave little room for ambiguity on one key factor: most online spending happens through store accounts. More than half of merchants say that account holders shop more often, and spend more per purchase, compared to customers who check out as guests. The overwhelming majority of customers, 81%, said that more than half of their online transactions happen at stores where they already have an account. 

Store accounts are much more than a service to customers; they are assets. Every time a customer opens an account with a merchant, their future expenditure prospect increases. The lifetime value of the shopper can double or triple when they open an account. But, like any other perk merchants offer their customers, accounts create a vulnerability. Customers are very aware of this threat, with the majority saying they are somewhat or very concerned about having their accounts compromised. Nearly 20% of consumers said they’ve had accounts compromised within the past year. 

How to protect your store from ATO attacks?

The fundamental challenge to stopping ATOs is that merchants do not have enough information to work with at the login point to make a reliable decision. Simply comparing IP addresses and device fingerprints are not enough to make an accurate decision.

So what can merchants do? The answer lies in mixing the right “cocktail” of data points. These can include IP geo data, behavioral analytics, and the input of a spoofing detection solution, to name a few. Many times, accurate login decisioning is the result of a comprehensive data-sharing program. For merchants who partner with a vendor for account takeover prevention, it is vital to ensure that your provider aggregates data from other merchants because strong data networks can fill in the gaps in information.

Download the Full Report

These are just some of the insights included in our report about Account Security in 2020. For more on fraud prevention best practices, download the full report.