Account takeover (ATO) is not new. It has been plaguing retailers as long as businesses have been offering online customer accounts. But ATO today doesn’t look much like it did five years ago—or even two years ago. At the recent 2022 CNP Virtual Summit, a panel discussion delved into how ATO has evolved over the years and how significantly it has changed since the pandemic began in 2020.
One analysis by a major online marketplace cited by panel moderator Karisse Hendrick indicated that customers of the marketplace whose accounts had been affected by ATO spent, on average, 60 percent less in the 12 months following the attack. So the impact of ATO is significant, and fraud departments are being challenged by the ways in which those attacks have changed.
Hendrick was joined in the discussion by Mike Lewis, head of engineering and machine learning for risk at fintech Square, and Shawn Colpitts, senior fraud investigator for online food deliver company JustEatTakeaway.com.
“In the time that I’ve been at Square, we’ve developed a bunch of services that make access to your funds faster and more efficient, which is great for our users but also great for the attackers,” said Lewis during the session. “As more information has become available online about our customers, the sophistication of the attacks and their ability to look like the person they’re pretending to be has skyrocketed.”
As fraud-as-a-service has become more prominent, more individuals are involved in ATOs, making them more difficult to identify, Lewis said. And, Colpitts mentioned, the pandemic driving more people online and privacy law have simply made it more efficient for fraudsters to extract money from an account with a stored payment credential than from a stolen credit card alone.
The entire conversation, along with audience Q&A is available at CNPVirtualSummit.com. Those who have already registered for the summit can simply use their log in to see the presentation. Those who did not register for the summit previously can do so now to see this, or any of the summit sessions. Follow the instructions to log in or to register.