How Merchants Can Use Machine Learning to Stop Account Takeovers

How Merchants Can Use Machine Learning to Stop Account Takeovers

December 13, 2018

[Editor's note: December is Machine Learning Month at Card Not Present (sponsored by Feedzai). Fraud in the digital commerce world continues to increase not only in volume, but also in sophistication. Higher order threats require a different response, and antifraud systems based on machine learning are becoming an important part of an online merchant's arsenal. Check back here throughout the month for updated content detailing the way machine learning technology is changing the face of fraud prevention.]

A new type of fraud has emerged that's destroying lives, damaging reputations, and creating havoc for merchants and financial institutions: Account Takeover (ATO) fraud.

According to Javelin Strategy and Research, losses from ATO fraud reached $2.3 billion in 2016. And things got even worse the next year—in 2017, the number more than doubled to $5.1 billion. When viewed in context of the total fraud landscape, ATO fraud represents 30 percent of the total $16.8 billion in fraud losses.

How Does ATO Work?

ATO nearly always begins with a data breach. Hackers gain access to a database, it's refined and put up for sale on dark web marketplaces, either individually or in aggregate with price determinant variables like credit score and account balance. And as it turns out, this data is valuable:

  • Social Security Numbers (SSN) for $1
  • General, non-financial institution login for $1
  • Online payment services login info for $20 - $200
  • Credit or debit cards for $5 with a CVV2 number, $15 with bank info, or $30 for an account with an SSN, birth date, and relevant account numbers

This information is typically stolen when hackers target large companies, with the goal of accessing millions of credentials at once:

  • Yahoo Data Breaches of 2013 and 2014 - 1 billion accounts compromised
  • LinkedIn Data Breach of 2012 - 100 million accounts compromised
  • 4iq Discovery - 1.4 billion credentials stolen

And, just two weeks ago, Marriott acknowledged a breach that yielded the personal and payment information of up to 500 million of its customers over four years.

ATO Is Only the Beginning

With ATO surging, organizations are seeing dramatic increases in payment fraud. Understandably, most merchants are floored by these attacks and can't keep up. Fraud tactics grow exponentially with new technology, and most financial service providers can't adapt their detection strategies quickly enough to prevent losses.

Fraudsters leverage these weaknesses by applying ATO in distinct patterns to generate as much profit as possible before being exposed:

  1. At its most basic, fraudsters use the same customer details for orders but apply a reshipper address, often committing multiple ATO attempts through multiple credit or debit cards.
  2. More savvy fraudsters update the stolen card's billing and shipping addresses to ensure AVS matches. This lets them more fully take over the victim's account with their own identity.
  3. The most troublesome and sophisticated version of this attack involves fraudsters updating the account on all fronts to make stolen credentials virtually indistinguishable from healthy accounts.

Machine Learning Stops Fraud In Its Tracks

To combat the growing threats of ATO, merchants and financial institutions need solutions purpose-built to stop fraud in its tracks. On that score, machine learning offers a new approach that excels at identifying the common markers of ATO fraud as they present themselves in real-time:

  • Multiple user accounts per billing email, shipping address, or credit card
  • ZIP code mismatches
  • Multiple card attempts across different countries
  • Known fraudulent reshipping addresses
  • Suspicious naming conventions across shipping and billing fields

Over the years, Feedzai has worked to develop machine learning-based solutions to prevent ATO attempts before damage is done. In one case, we were able to stop an ATO attempt that would have cost a merchant $600,000 in just four minutes. This fraudster was using a particularly sophisticated attack to inflict damage quickly:

  • 84 user IDs
  • 84 phone numbers
  • 66 credit cards
  • 58 shipping names
  • 50 shipping addresses in 6 shipping cities

Through machine learning, Feedzai stopped the attempt without interrupting services for a single customer. This is just one example of many. ATO is here, and fraudsters are realizing how profitable it can be. Merchants need to understand these risk and how they can protect themselves before irreparable damage is done to their accounts, their customers, and their reputations.



  • Share this Article: