New Crime on the Block: Account Takeover Fraud
Traditional crimes like identity theft and credit card fraud have become commonplace these days. No one is surprised when they (or someone they know) becomes a victim of these crimes.
In recent years, however, the rise of new technologies, including the recently adopted EMV standards, have led to a reduction in the number of incidents of credit card fraud due to card or identity theft.
In its place, however, the shady world of ecommerce crimes has a new villain to deal with: account takeover fraud.
Account Takeover Fraud FAQs
Account takeover fraud impacts both the consumer and merchant. It’s important to fully understand the implications for all involved.
What is ATF?
Account takeover fraud occurs when a fraudster obtains a piece of personal, identifiable information that can be used to access account information. This information may be as simple as an email address, account log-in information or other secure pieces of info.
With their acquired information, the fraudster can make account changes and ‘takeover’ control of an account, all without the individual’s knowledge.
How does it work?
Using limited pieces of information, a fraudster gains access to a cardholder’s account. Often, this may be something as simple as an email address and password.
Unlike criminal fraud or identity theft which may be spotted quickly on accounts, takeover fraud enables the fraudster to manipulate account information. They can change addresses, verify ‘unusual activity’ and prevent the cardholder from receiving any correspondence that may alert them to the theft.
With this information, the fraudster can log into an account and make purchases as though they were the account holder. This allows the fraud to go on longer and provides a larger scope of potential fraudulent activity.
In addition, fraudsters may bundle their stolen account information together with other accounts to be sold on the black market, providing a higher payout for the criminal.
What type of accounts can be targeted?
While any type of account is a potential target, fraudsters typically focus on credit cards, store ‘perk’ accounts, and bank profiles. With these accounts violated, the fraudster has full reign to take over, potentially using these accounts for weeks before any unusual activity is noticed.
The secondary danger of account takeover fraud is due to the inherent nonchalance of cardholders regarding account information. Many cardholders repeat log-in passwords and account information on multiple accounts, making them particularly vulnerable during an account takeover. Once a fraudster has access to one account, they often are able to gain control of multiple accounts with their single password.
How can merchants prevent account takeover fraud?
Merchants can help prevent account takeover fraud, and the resulting chargebacks, with a systematic approach to security. By taking advantage of tools offered by credit card networks and processors, merchants can work in conjunction with banks and cardholders to prevent this egregious form of fraud.
- Require the use of the card security code for every card-not-present transaction. Account takeover fraudsters may be able to discover card numbers and other identifying information, but will likely not have access to the card itself. By requiring customers to enter their card security code, you are ensuring that only people with the actual card will be able to complete the transaction.
- Use AVS protocol. Merchants can use the AVS tool to automatically verify the billing address using during the transaction with the billing address on file with the issuer. Account takeover fraudsters might have access to some personal information, but not all.
- Utilize an outside source. Many merchants are unable to keep up with the necessary measures to prevent credit card fraud, chargebacks and account takeover fraud. Instead of attempting to monitor the constantly evolving world of ecommerce fraud, turning the job of fraud prevention and detection over to a third party will reduce the merchant’s work load. This allows the merchant to focus on growing their business, while the experts focus on preventing criminal activity.
How can cardholders protect themselves from account takeover fraud?
- Establish unique, hard to guess passwords for each account. Resist the temptation to make it easy for yourself by using the same password for all of your accounts. Using separate login information will reduce the potential damage done during an attempted account takeover.
- Monitor bank activity regularly. Check bank and credit card statements regularly for unusual activity. Report any unauthorized account changes such as phone number, email or shipping addresses that may have been made by a fraudster.
- Change passwords frequently. Passwords should be changed every four to six weeks, reducing the opportunity for fraudsters to use any illegitimately acquired information.
There is no guaranteed method of preventing account takeover fraud. However, both merchants and cardholders can take steps to minimize the chances of a fraudster taking over an account.