Many Merchants Fail to Protect Against or Notify Users About Account Takeover
According to a recent survey, more than one-third of merchants have seen at least 10 percent of their user accounts taken over in the past year while more than one-quarter of merchants have no measures in place to protect against account takeover. Meanwhile, less than 8 percent of consumers were notified about account takeover incidents by the merchant custodian of their compromised account.
Merchants are not effectively managing account takeover risks and this is despite account takeover (ATO) being a major brand risk, not just a fraud risk for the impacted consumers. A recent study from Riskified surveyed 4,000 consumers and 425 merchants asking questions about protection against and response to account takeover.
Nearly 70 percent of consumers surveyed express concern about ATO threats and nearly two-thirds said they would stop buying from a merchant if their account with this merchant was compromised. In many cases this isn’t fair to the merchant. Many consumers will have their credentials stolen in an unrelated data breach while consumers reusing passwords leads to a contagion of ATO attacks. Unfortunately for merchants, life isn’t fair. Consumers are more apt to blame the merchant than accept that their weak personal security practices may partially be to blame.
Regardless of the root cause, consumers not only cease buying from merchants where they experience ATO, they further tarnish that merchant’s brand. More than half of consumers said they will delete an account with a merchant after experiencing account takeover while one-third tell their friends to avoid the merchant and 34 percent start shopping at competitors instead.
This pins merchants, and any organizations that are custodians to consumer accounts, between a rock and hard place as being too strict on users has ramifications on the user experience. While two factor authentication (2FA) provides additional security this is typically turned on voluntarily by the consumer, and those who prefer to use 2FA are less likely to be the ones reusing passwords across multiple accounts.
While the weak consumer security practices and plethora of stolen credentials is frustrating for merchants, they still need to focus on what they can do to limit ATO risk exposure and mitigate its impacts. According to the same Riskified survey, 27 percent of merchants don’t have any measures in place to prevent account takeovers. Ensuring the correct password provided is not enough. Velocity signals, IP geolocation, device information and behavioral analysis should be considered as well.
When it comes to mitigating ATO risk and limiting the damages, merchants need to consider step-up forms of authentication when there is reason to be suspicious. It is helpful to look for higher risk activity when accounts are accessed from unusual locations, particularly changing of account passwords and/or contact email addresses. Allowing someone to access a user account doesn’t mean giving them the keys to the castle. Lower to medium risk signals of account takeover can be considered when the user moves on to attempt a transaction or update payment information, possibly blocking this activity at that stage.
Finally, merchants need to do more to inform consumers when there is any potential account takeover activity. Just 7.5 percent of consumers that experienced ATO were contacted by the merchant to inform them, while 36 percent were notified by the card issuer and 26 percent received an order confirmation email that thought the transaction was legitimate.
Measures to understand and reduce ATO risk exposure are detailed in The Fraud Practice’s online training course Understanding and Mitigating Account Takeover Risk.
To learn more about the Riskified survey on account takeover over, see the PaymentsJournal article Merchants are Unprepared to Tackle the Threat of ATOs.