How the pandemic will feed an account takeover explosion

Al Pascual, Breach Clarity has explained why he believes that 'until strong authentication becomes more the norm than the exception, fraudsters armed with compromised credentials will only drive ATO higher among ecommerce merchants'

Calamities breed fear, which in turn creates opportunities for fraud. And it is becoming painfully clear that this pandemic is a boon of epic proportions for fraudsters everywhere. Between COVID-19 scams targeting consumers, the wholesale theft of government benefits, and playing on the financial worries of the newly unemployed, 2020 will undoubtedly go down as one of the costliest on record when it comes to identity crimes. As for merchants, they are far from unscathed, but the challenges they face are unique – not only in how they manifest but as to why they are occurring and are likely to get worse. Four factors, some newly emergent and others long unaddressed, are coalescing to overwhelm an already beleaguered industry. Unfortunately, pressure from fraudsters will only become more intense, and for many merchants, survival will require finding a way to disrupt these factors before it is too late. 

For merchants struggling with the implications of massively depressed sales activity, increasing online transaction volume is far from a panacea. Those merchants that are fortunate enough to continue their sales operations online are finding that the mass migration of shopping activity to digital channels is exposing them to increased risk. This dynamic has played out time and time again – whenever there is more transaction volume of any kind, fraudsters will follow. And according to LexisNexis, the pandemic has only made matters worse as the rate of fraud attempts has increased even more dramatically since the economic slowdown began. 

Ironically, the continuing rise of ecommerce fraud will be inextricably tied to how the fall of point-of-sale traffic is affecting the use and availability of compromised data:

When it comes to using compromised data to commit fraud, fraudsters are avoiding physical storefronts just like the rest of us. Even with a solid supply of point-of-sale card data from older breaches available on criminal forums, fraudsters are not willing to risk their own health and increase the chances of getting caught red-handed at nearly empty merchant locations. This is clearly demonstrated by the fact that the going price for compromised point-of-sale card data is down, but online card data is still selling for a premium on criminal forums.

Without legitimate sales activity at brick-and-mortar locations, the available pool of compromised card data is beginning to dry up. Over time, this will drive a further shift of fraudulent activity from the point-of-sale as fraudsters look for alternative data sources to support other types of crime. According to Breach Clarity’s own data, the proportion of new breaches capable of fueling card fraud is much lower than only a few months ago, but those contributing to the risk of account takeover (ATO) are relatively undiminished. 

The risk of card fraud is falling off a cliff as card breaches become fewer and farther between

The most serious pending threat to merchants lies in this unchanging frequency of data breaches capable of fueling ATO. Account takeover using compromised credentials obviates the need for fraudsters to have access to stolen card data, as saved payment information can be easily misused once they have access to a victim’s existing account with a merchant. And retailers are the most heavily targeted industry segment for credential stuffing attacks that can lead to ATO, according to a 2019 report from Akamai. This makes sense when you consider that organisations like financial institutions often deploy far stronger forms of authentication than the typical merchant. So, until strong authentication becomes more the norm than the exception, fraudsters armed with compromised credentials will only drive ATO higher among ecommerce merchants. 

It is an old and oft-used adage that ‘criminals go where the money is’, but it is just as true now in the case of ecommerce fraud as it has ever been. The changing channel preferences of consumers – an acceleration of the shift from the point-of-sale to ecommerce due to COVID-19 – is driving where fraudsters can and will focus. Armed with stolen card data today, and with an increasing reliance on compromised login credentials (and other data that can support ATO attempts), the risk that fraudsters pose to ecommerce merchants has never been more certain, or more serious. Ecommerce merchants can little afford to suffer increased fraud losses. This is especially true for those with legacy brick-and-mortar locations that are being ravaged by mandatory shutdowns, or at a minimum massively reduced foot traffic. Criminals are opportunistic and will often avoid the hard targets for the easy mark. For the foreseeable future, the ‘marks’ are those ill-equipped merchants that will suffer just when they can least afford to.

This editorial was published in the Fraud Prevention in Ecommerce Report 2020/2021, the go-to source in securing transactions while offering a frictionless customer journey.

About Al Pascual

About Breach Clarity