Ai Editorial: Here’s why account takeovers are set to become a bigger headache

First Published on 8th November, 2018

Ai Editorial: Account takeovers (ATO) are shaking e-commerce players in many ways, including in the loyalty space. For instance, post an ATO orders can be made with the genuine card-on-file or stored credit (reward points or miles), writes Ai’s Ritesh Gupta 


Retailers, including travel e-commerce players, are looking at combating the increasing threat of account takeover (ATO) attacks.

As the number of data breaches is going up, they are being linked to the surge in ATO attacks. This is because these breaches supply a treasure trove of information of login credentials, passwords, and personal information.

Here is how fraudsters are trying to make sense of what they are stealing: Data breaches can result in compromised login credentials. Post this fraudsters tend to test whether these credentials work on other sites or not. With one password for multiple accounts being a common practice, the threat of danger is unimaginable! Since testing credentials this way can be a laborious task, fraudsters use bots to automate the testing process. Once fraudsters have found credentials that work, they can either commit the fraud, or sell them on the dark web. According to Riskified, usually fraudsters have specialized roles: fraudster A is the expert at data breaches, and he’ll monetize the stolen credentials by selling them to fraudster B, who is the expert at loyalty fraud. Cybercriminals purchase these stolen credentials from the dark web, and thereafter launch coordinated fraud attacks for hostile ATOs, or to create spam accounts with real genuine identities.

Why even a bigger headache? 

In case a successful data breach or an ATO attack happens, merchants can find themselves in an obnoxious situation. As explained by Sift Science, this is because stored payment methods make it easier for fraudsters to shop, fraudsters can redeem miles and points that sit in unsecure accounts, personable information is lost and then merchants also have to grapple with the issue of restoring accounts after a takeover incident. Spam accounts are useful for fraudsters to abuse promotional codes, which is another pain point for merchants.

A couple of reasons by ATO can become even a bigger headache:

·         ATO can also occur under other circumstances such as when competitors suffer a data breach. Given that most people tend to use the same credentials with multiple merchants, fraudsters will test stolen credentials across multiple websites. This means that an enterprise’s accounts can also be compromised once fraudsters get hold of their competitors’ user data.

·          It also needs to be considered that enterprises are starting to build ecosystems where a single account can be used to access multiple services, increasing the value of accounts and further compounding the problem of account takeovers. Accounts are becoming increasingly valuable, due to the amount of information and/or services tied to a single login, and considering that most enterprises have yet to deploy sophisticated fraud management techniques to detect fraudulent account logins, accounts have become the new gold for fraudsters today. A case to examine is Amazon, where one single account may be used to access multiple services including Amazon Prime, Alexa, cloud storage, music streaming and more. Once a single account is compromised, it would be difficult to have damage control on all possible endpoints that could benefit the fraudster. For instance, the fraudster could have access to the card-on-file to make purchases, or have access to the user’s information, or worse, in the case of IoT (e.g. Alexa), spy on the users in their homes.

What to consider? 

Some of the top issues on the agenda of airlines as of today are - how to prevent fraudsters from accessing travellers' legitimate account? How to combat an ATO attack at the point of sale, and declining the order?

Companies acknowledge what's at stake - their reputation, messed up loyalty accounts, a customer's private information etc. A majority of fraud review operations are reluctant to decline orders coming from a logged in account. This is because the risk of offending a good customer is so high and the fear of a poor customer experience makes it a delicate issue. As pointed out by Riskified, a major aspect of preventing fraudsters from succeeding at the point of account login is processing data and making decisions in real-time.

Enabling two-factor authentication (2FA) is one option. Educating consumers to use strong passwords and securing their devices is also important. Notifications about suspicious activity, too, need to be considered. Still travel e-commerce companies need to dig deep. As recently shared by CashShield, organizations tend to rely on 2FA for account protection, which can be overcome by fraudsters with deceptive tactics, such as SMS phishing to trick users into giving up their 2FA reset codes; it is also not uncommon for fraudsters to intercept the confirmation SMS messages, proving that 2FA is not sufficient to prevent fraudulent account takeovers.

As for the role of a merchant, they need to go for stringent security protocols in storing and encrypting their data, to curtail the loss in case of a data breach. They can also attempt to lessen the harm by guaranteeing that the stolen data cannot be used. According to CashShield, one way to achieve this is to deploy real-time active surveillance on every login to filter out potential threats and prevent attackers from gaining unauthorized access to accounts.


For Ai’s Events, check -

Follow Ai on Twitter: @Ai_Connects_Us