Data breach fatigue leaves no room for snoozing as ATO alarms blare

The rapid rise of account takeover fraud has reached record levels with no sign of slowing down. This has left companies that wish to avoid surrender scrambling to match the stealth and sophistication of today’s fraudsters. Successfully thwarting criminals who pose as trusted users is proving to be a difficult task; especially given how the problem with account takeover (also called ATO) originated, and how the recent onset of data breaches has escalated its prevalence. 

In order to reduce customer friction and increase sales, online businesses around the globe began allowing consumers to store payment details for subsequent purchases. This system benefits both parties (users enjoy convenience, merchants enjoy customer satisfaction and repeat purchases), yet the omnipresent user ID/password combination, initially and often used to secure customers’ accounts, has now created a vulnerability that fraudsters have been quick to exploit.

With each and every website requiring login information, consumers often reuse the same password

With each and every website requiring login information, consumers often reuse the same password. The problem with this? If a fraudster is able to get his or her hands on the user ID/password combination for one account, he or she can use the same information to infiltrate all of that person’s online accounts. This fact, coupled with the massive increase of recent data breaches (that has given fraudsters the account information of millions of users) has created a major increase in ATO. 

Beyond the breach

ATO fraud has grown to be much more complicated than a password issue. Over the last few years, hackers have stolen data from Equifax, Yahoo, Uber and numerous other companies around the world. These breaches have become so commonplace, the term “data breach fatigue” is now being used to describe consumers who have grown numb to the threat of losing their personal data.  In the midst of an endless flood of media coverage and breach notification letters, consumers are starting to think, “With data breaches happening so often, there’s nothing I can do to prevent my information from being stolen.” 

“With data breaches happening so often, there’s nothing I can do to prevent my information from being stolen.”

Of course, this kind of thinking further plays into the fraudsters’ hands, and account takeover rates keep climbing; Javelin Strategy & Research reports that losses from ATO increased 120% from 2016 to 2017 — by far the most significant increase of all types of card-not-present fraud for the year. [Online Fraud 81% More Likely Than In-Store, ATO Leads the Way: Report, CardNotPresent.com, Feb. 8, 2018]

Shifting the blame

Although many consumers have grown apathetic and “fatigued” about their own responsibility surrounding data breaches, the same can’t be said for how they feel businesses should react. 

The Javelin study found that 63% of consumers don’t know how to effectively protect their information from breaches, while 64% of breach victims believe breach notifications do little to protect them and are merely legal cover for the breached company. As such, consumers are increasingly shifting the responsibility for preventing ATO fraud away from themselves to the institutions storing their data — which means it’s more important than ever for companies to find ways to curb the growing ATO problem. 

The silver lining

Fortunately, digital tools are getting better at helping businesses detect account takeover activity. For example, anti-fraud software solutions that use sophisticated device fingerprinting in combination with specially formulated transaction-based rule sets can zero in on account takeover activity with the utmost precision. 

...digital tools are getting better at helping businesses detect account takeover activity...

RISK IDENT’s FRIDA solution, for instance, was developed to give an entirely separate real-time risk score, quantifying the likelihood of whether or not a fraudulent transaction is ATO. This is an innovative feature that was added half a decade ago when we realized account takeover fraud was beginning to migrate from financial institutions to the ecommerce community. 

What to expect out of 2018?

Both the rate and sophistication of account takeovers is likely to snowball given the increasing availability of personal data and the increased access hackers and fraudsters have to data and tools. The quality of stolen identities is constantly improving — were now seeing full internet profiles for individuals, including access to all major accounts and personal information, for sale on the dark web. Additionally, social media has enabled a broad range of consumers, particularly younger generations, to share, perhaps overshare, and data security has not always been a primary concern for third party application developers. 

As a result, its likely the amount of personal information available in the public domain, added voluntarily by the consumer, will continue to increase. Unless consumers suddenly begin employing smarter password management tools, this increase in account takeovers is inevitable.

The very nature of the world’s online environment has created a sea of change in the way fraudsters go on the attack and how consumers respond. Merchants and financial institutions must change their antifraud tactics to keep up; otherwise, they risk not only attracting ATO but also losing valuable customers. And that is an equation that is cause for alarm. 

About Dustin Clinard

Dustin leads RISK IDENT’s business expansion in the United States and is responsible for all US-based customers, products, and services. As Managing Director, he gets the best of both worlds – working with an all-star team and working on interesting fraud problems. Prior to RISK IDENT, Dustin has held senior leadership roles in the services, manufacturing, and engineering industries. He has improved chemical plant productivity, consulted to some of the world’s biggest and best companies, expanded businesses continentally, and been a seed investor in an e-commerce company. Dustin has an MBA from Northwestern’s Kellogg School of Management.

 About RISK IDENT

Result-driven fraud prevention solutions engineered by RISK IDENT protect global e-commerce, telecommunication and financial businesses. Reducing identity theft, account takeovers, payment fraud, and account/loan application fraud on all channels is made simple with cost-effective products that use extensive domain knowledge and machine learning technology tailor made for tier-one enterprises.