According to the press release, the Index, which includes analysis from Sift’s global network of 34,000 sites and apps and from a survey of US-based consumers, revealed that attempted ATO rates (the ratio of attempted fraudulent logins over total logins) swelled 282% between Q2 2019 to Q2 2020. Likewise, ATO rates for physical ecommerce businesses jumped 378% since the start of the COVID-19 pandemic, indicating that fraudsters are leaning heavily on this attack vector in order to steal payment information and rewards points stored in online accounts on merchant websites.
Therefore, Sift’s research reveals that ATO attacks also create significant and lasting brand damage. In surveying 1,000 US-based adult consumers, Sift found that more than 28% of respondents would completely stop using a site or service if their accounts on that site were hacked, and while consumers can secure their accounts by leveraging tools like password managers, multi-factor authentication (MFA), and by using unique passwords, they largely ignore these best practices.
In fact, 66% of consumers surveyed either don’t use any type of password manager or aren’t sure if they do, despite 52% of them having concerns about becoming victims of ATO in the future, and 25% reporting that they have already had their accounts hacked at least once before.
Additional research from Sift’s Q3 Digital Trust & Safety Index found that:
Attacks are fueled by automation: Between Q2 2019 and Q2 2020, ATO attacks happened in discrete waves about a week apart, indicating that fraudsters are turning to bots and automation in order to overwhelm trust & safety teams.
Fraudsters sneak in and cash out: Of those who have experienced ATO, 41% of respondents reported that payment details were stolen and used to make purchases, and 37% of victims had money taken directly from their accounts. Another 37% had rewards points or credits taken and used to buy goods and services.
Ecommerce is in the crosshairs: Of consumers who confirmed being victims of ATO attacks, a whopping 61% said their ecommerce (both physical and digital goods and services) accounts were hacked.
Other online destinations on which consumers reported experiencing ATO include: social media sites (36%); financial services sites (35%); online dating sites (22%); travel sites (19%).
Furthermore, like payment fraud and content abuse, account takeover is typically a means to a financial end. Using credentials either illicitly purchased on the dark web or obtained through techniques like credential stuffing, hackers gain access to user accounts on a business’s website and then make purchases on that website using stored payment information or rewards points.
Attackers may also export the stored information in order to commit fraud across the web. While consumers may be the immediate victim of these attacks, businesses ultimately face the real costs: in addition to reimbursing hacked customers, businesses face exorbitant chargeback fees and payment network fines when ATO leads to payment fraud.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now