New Research Reveals Retailers are Vulnerable to Account Takeover Attacks

Riskified, the payments and fraud-prevention solutions provider, today released a survey on the effect of Account Takeover (ATO) attacks on customers and online retailers.

ATOs happen when a bad actor gains access to a legitimate customer’s eCommerce store account and uses that account for fraud, and the UK survey of 1,000 consumers and 120 retailers found that a fifth (20%) of UK consumers have had an online shopping account accessed without their permission in the last year. Despite this, more than a quarter of retailers (26%) admit they don’t have measures in place to prevent these kinds of attacks. Additionally, more than half (52%) of UK retailers think the impacts of Coronavirus will lead to an increase in online fraud.

Purchases made using compromised store accounts are hard for retailers to detect, because they look like they are made by legitimate returning customers. For instance, 23% of retailers say they can’t identify an ATO during a purchase, and 8% say they are not even aware that an ATO has occurred unless a customer contacts them. Shockingly, only 4% of consumers learned their accounts were compromised from the retailers.

When fraudsters use compromised accounts to make fraudulent purchases, not only does the retailer lose the revenue and the value of the goods sold, but it also suffers serious damage to its brand reputation and diminished customer lifetime value:

  • More than half (51%) of customers say they would likely stop buying from a retailer if their account was compromised
  • 52% of customers say they would delete their account
  • 37% would go to a competitor
  • 34% say they would tell their friends to stop shopping with the retailer.

Retailers that take steps to reduce ATOs risk hurting the customer experience. Just under half (44%) of retailers use two-factor authentication for login attempts, which can frustrate legitimate customers and increase cart abandonment. Many retailers also require complex passwords to increase security, with (79%) reporting that account passwords must contain a mix of characters, numbers, symbols and uppercase and lowercase letters. This can help security, but it also increases friction and does little for customers who reuse passwords, meaning that store accounts are at risk through data breaches on other sites. That’s a real concern, as 48% of customers admit to using the same password for two or more online stores.

Embracing advanced technology may offer a solution

Because of their potential for serious financial and reputational harm – combined with the difficulty in detection – retailers need to use as much available data as possible to avoid ATOs. For example, retailers should look at the device and network details, proxy usage and previous logins to determine if the entity attempting to access the account is the rightful owner. If the device or network is unfamiliar or exhibiting characteristics consistent with fraudsters, retailers should exercise caution by notifying the account owner or applying two-factor authentication.

Retailers also need to recognise that the account takeover isn’t the end goal. Fraudsters use ATOs to then place fraudulent orders, and retailers have the advantage of seeing that whole process. An unfamiliar login or a change of details might seem suspicious initially, but if the cart that reaches checkout is low risk, then retailers can likely safely approve the order. Similarly, if a safe-looking account event is followed by a chargeback, then retailers should take another look at the account activity and, likely, prompt the customer to change their password. When retailers ensure that these parts of the shopping journey – and the teams and solutions that manage them – are coordinated, they can decrease risk and increase revenue.

“Our survey shows that retailers are aware of and concerned with ATO attacks, but they usually lack the ability to identify and prevent them,” said Assaf Feldman, Riskified’s co-founder and chief technical officer. “Without a dynamic approach that evaluates all relevant data, retailers risk significant financial losses, frustrated customers and damaged brand reputations. Advanced machine-learning solutions can instantly recognise legitimate customers and ease their path to checkout. Suspicious actions can be verified or blocked to minimise damage. By doing so, merchants maximise revenue while giving their customers a great experience.”

Additional key findings from the survey include:

Accounts are an important shopping tool for customers:

  • 86% of customers say they have accounts on individual sites for shopping.
  • 78% do most or all of their online shopping with retailers where they have accounts.
  • 66% said they shop more frequently when they have an account.

Retailers get a significant portion of their business from customers with accounts:

  • 56% of the retailers surveyed say at least half of their orders come from customers with accounts.
  • 44% of retailers report that account holders spend more per purchase than customers who use guest checkout.
  • 57% say that account holders purchase more frequently than customers who use guest checkout.

Additional survey findings will be shared in a webinar on June 16th at 4pm BST. For more information and to enroll in the webinar, visit: https://pages.riskified.com/ato-survey-webinar/

Featured in this Article:

Assaf Feldman Riskified

Author: Eleanor Hazelton

Share This Post On