Introduction

Online fraud is becoming more and more sophisticated, as cybercriminals try and keep a step ahead of fraud solutions and tools. One of the results of this arms race is the recent surge in ATO – account takeover – attacks, a form of fraud which is particularly difficult to detect. In 2017 ATO led to $5.1 billion in losses, a staggering 122% increase over the $2.3 billion lost in 2016.

Not only are ATO attacks tough to spot, they can also cause harm that goes beyond just stolen goods and chargebacks. Customers often leave credit card details saved in their store accounts, trusting merchants to guard them. In the event of a data breach, customers are left to deal with the fallout of having their personally identifiable information–PII– stolen. This could entail cancelling credit cards or dealing with identity theft. It can even be a struggle simply to regain control of their account: once fraudsters have accessed an account, they can lock the owner out by changing the security questions and passwords. In 2017, ATO victims spent an average of 15 hours resolving the fraud.

The damage for merchants is at least as grave. ATOs reflect very poorly on their brand, create a breach of trust with loyal customers, and can potentially lead to the loss of the entire lifetime value of affected customers.

In this guide, we’ll explain ATO attacks: how fraudsters get the credentials they need to access accounts, and their modus operandi once they’re in. We’ll also explain how to protect customer data, and your own products, from sophisticated ATO fraud. Finally, we’ll provide tips on creating a verification process that keeps bad actors out, without causing unnecessary friction to your good customers.