A few weeks ago, I spoke at the Merchant Risk Council in London with Sudhir Jha from Google about Account Takeover (ATO). For several years ATO has been a hot topic for email platforms and social networks, and is now gaining mindshare fast from leading merchants. Ironically, in many ways, merchants are somewhat responsible for the rise in ATO. Merchants became so good at identifying and blocking fraud at the transaction level that fraudsters were forced to
identify new methods.
To detect account takeovers, you must build models that look for anomalous behavior on a user-by-user basis. This can include using a new device or IP, or a change in the session behavior. For example, Customer A typically is a deliberate purchaser and will sort through multiple products pages and read several reviews before making a purchase. If Customer A’s account makes an immediate purchase without the normal deliberate behavior, it could be a sign of ATO. The biggest difference in detecting ATO compared to standard CNP fraud is the need to build these models on a user-by-user basis. Across users, machine learning and rules should not be minimized and are still crucial for detecting CNP fraud, but ultimately anomalies on a user-by-user basis are the most effective ways to identify a pattern that could be representative of a fraudster taking over an account.
Another challenge merchants face is what action to take when a potential ATO is detected other than outright rejecting the transaction. Detection systems can be vulnerable to false positives, which can have a big impact on the user experience. For example, let’s say that my purchasing behavior is normally deliberate, there may be occasions where I make an immediate purchase. Perhaps I have already done enough research on other sites or maybe I do not have the requisite time to be as deliberate as normal, or perhaps a friend sent me a link to a product they recommended. In cases like this, it is better to have a challenge framework in place rather than outright reject the transaction. Some of these challenges can be:
- Two-Factor Authentication– send a one-time passcode to the user’s phone and require re-entry back into the merchant site
- Require re-entry of a credit card number
- Require the user to answer a knowledge-based challenge (although the answer to these can be easily guessed or socially engineered.)
Building a model to detect anomalies on a user-by-user basis and having a comprehensive challenge framework to use when an anomaly is detected is an effective strategy to combatting ATO, while minimizing the impact on user experience.