Introduction

Online fraud is becoming more and more sophisticated, as cybercriminals try and keep a step ahead of fraud solutions and tools. One of the results of this arms race is the recent surge in ATO – account takeover – attacks, a form of fraud which is particularly difficult to detect. Riskified estimates that in 2019 ATO will lead to over $20B in losses, a staggering jump over the $2.3 billion lost in 2016. And because of their business models, OTAs (Online Travel Agencies) and airlines are the online sellers most vulnerable to these attacks. 

For travel merchants in particular, ATO attacks cause harm that goes beyond just stolen tickets and chargebacks. Customers often leave credit card details saved in their accounts, trusting merchants to guard them. Most airline’s accounts also store users’ trip history, contact information and sometimes even passport numbers for the sake of convenience. In the event of an attack, customers are left to deal with the fallout of having their personally identifiable information–PII– stolen. This could entail cancelling cards or dealing with identity theft. It can even be a struggle simply to regain control of their account: once fraudsters have broken in, they can lock the owner out by changing the security questions and passwords. In the aftermath of an attack, ATO victims spend an average of 15 hours resolving the fraud. 

The bottom line is that ATOs reflect very poorly on a merchant’s brand, create a breach of trust with loyal customers, and can potentially lead to the loss of the entire lifetime value of affected account holders.

In this guide, we’ll explain ATO attacks: how fraudsters get the credentials they need to access accounts, and their modus operandi once they’re in. We’ll also explain how  travel merchants can protect customer data–and tickets–from sophisticated ATO fraud. Finally, we’ll provide tips on creating a verification process that keeps bad actors out, without causing unnecessary friction for good customers.