10 common challenges with account takeover and how to deal with them
Take on the 10 most common challenges of account takeover, from using the right data to leveraging the right technology, to get the highest precision.
Fraudsters still manage to keep up so well with account takeover (ATO) because they have an edge. They don’t have to deal with regulations, manage teams, prioritize projects, and so on. Where you juggle a vast array of duties, they concentrate their efforts on one.
In light of this reality, to stay ahead of ATO, you need to identify all its implications. There are plenty of resources that you need to include to create a proper anti-fraud strategy and many challenges to overcome.
We’ve put together a list of the 10 most common challenges that you need to tackle. Let’s dive into each one to see what you need to do when struggling with various issues in the fight with ATO.
Keeping a low ATO rate
Your ATO solution's performance is measured using several metrics, such as fraud rate, detection rate, approval rate, and precision.
The fraud rate is the percentage of login traffic on your website or app that is detected as fraudulent. Ideally, this should be under 0.1%. The rejection rate is the percentage of legitimate login attempts that are rejected and it corresponds to the approval rate. For example, a high approval rate, let’s say ~99.9%, would indicate a low rejection rate of 0.1%, which also means that only a few legitimate login attempts are blocked.
The detection rate (also known as recall) is the percentage of fraudulent login attempts that are correctly detected. Precision is the percentage of detected cases that are fraudulent - in other words, the proportion of true positives over false positives.
To increase the performance of an ATO fraud prevention model, you need to fine-tune detection rules. Start with a moderate baseline threshold, collect data with legitimate and fraudulent login attempts, test the baseline, constantly adjust the threshold, validate its effectiveness on a separate dataset, and monitor and adapt the threshold to strike the right balance between precision and recall.
Manual review
If you rely solely on manual processes, fraud may slip through, or the false positives rate might increase, especially if you experience a high volume of login attempts or account openings. It’s nearly impossible to have access to enough data to detect with high precision enough fraud coming in.
You can leverage machine learning models that provide recommendations and risk assessments, reducing the need for full manual review. Alternatively, if ML is not the best option in your case, you can implement automated rules-based systems that can prioritize manual review by assigning risk scores to login attempts and directing manual efforts toward high-risk ATO cases first.
Device fingerprint spoofing
The issue here is that fraudsters use dedicated software that can spoof the device fingerprint by mimicking elements of the legitimate users’ hardware and software. Or, through social engineering techniques, fraudsters can get access to the user’s device, thus allowing them to avoid triggering the device fingerprinting detection. Behavioral biometrics is key here. By using data on how users interact with machines through the human-computer interface (HCI), such as keyboards, mouse touchscreens, and others, you can understand your user's typical behavior and detect anomalies.
Developing accurate device fingerprinting is resource-intensive. To make your device fingerprinting tool spoof-resistant, you need extensive data collection and behavioral analysis to complement its performance.
Account recovery
Once fraudsters gain access to the account, they may try to keep control by changing the password, adding a recovery email or phone number, or modifying security settings. Also, by modifying the 2FA settings, fraudsters can create an additional barrier to account recovery. If they set up 2FA to route to a device they control, it becomes difficult for the legitimate user to prove their identity and recover the account.
So, what can you do when your ATO hits your users this way? First, make sure that once you’re flagged with ATO, you’re getting in touch with the legit user and not by the fraudsters themselves, who are trying to get even more data. Check historical data for past logins and transactions and match them with the compromised account to confirm the real identity of the user. Rely on what data you already have available, and don’t try asking security questions like mother’s maiden name and the like. With the way people are exposed to social media these days, those questions would rather ease fraudsters' efforts. Then retrieve their email and password. However, if the email address is changed or compromised, you’ll have to ask your users to create a new account.
Guest checkout fraud
Since we can’t talk about login or registration here, technically, there’s no account to be taken over. But, guest checkout fraud and ATO could be intertwined. For example, after using a stolen card for guest checkout fraud, fraudsters might follow up with an account takeover. They can pull this off by getting hold of personal data during the checkout process and using it to hijack the user account on the same or another platform, where they could continue their fraudulent activities.
The issue here is the limited information available, including digital fingerprinting and behavioral data points to analyse, yet you can still leverage device details, IP addresses, and behavioral patterns as well as third-party data enrichment.
Balancing security with friction
Banks can implement continuous monitoring to flag suspicious behavior, assigning it a risk level and acting accordingly. For example, if the risk is high enough, the bank can automatically ask for additional authentication steps, prevent services, or otherwise take action as needed.
Such an approach is important for banks, as traditional means only need to be bypassed once. In the case of stolen accounts, using a password will not raise the alarm on the bank's side. Continuous monitoring makes it much harder for an account takeover attack to be successful since the company has numerous more opportunities to detect ATO fraud.
Lack of knowledge to improve ATO rules
Collecting information from industry reports, webinars, and forums is useful, but sometimes, you migh need more in-dept knowledge around evolving threats that is not available on the surface web. You can look into deep web and dark web if you have the means, or consider cybersecurity experts specialized in this particular field. Whether this is necessary, depends on how much fraud comes your way and what new patterns you may discover.
Also, don’t resort to overly strict rules that could generate a high number of false positives. Consider a versatile combination of attributes related to the email address, geolocation, network, lists of compromised credentials, behavioral data, and device type, along with risk signals like the use of VPNs or TOR, very long session without logout (you set the benchmark), new dispatched address, etc.
False positives
With plenty of spoofing tools, fraudsters make it appear as if they are logging in from a device that matches the usual user's profile, and you may end up not knowing who’s who. Fraudsters trick the system by altering details such as the device type, OS version, browser type, and IP address. But, as the saying goes, "Fool me once, shame on you; fool me twice, shame on me.” you might tend to become overly cautious, casting suspicion on legit users. You're cutting fraud in its tracks - no ATO, no payment fraud, no chargebacks, no brand reputation, and whatnot - but it comes at the expense of your revenue.
To increase precision, we recommend generating a unique fingerprint and cookie for each user at their initial login. Subsequently, gather information on the user's behavior and compare each session with previous ones. This process helps determine whether the individual interacting with the system is a genuine user or a potential fraudster.
KPI for ATO fraud
The KPIs in this matter are strongly related to the ATO rates mentioned earlier. After all, it’s all about keeping the fraud and false positive rates low and the detection rate high.
Additionally, it’s important to track the balance between reported incidents by customers and the proactive incidents that are detected by your system. More proactive incidents mean your system is doing a good job. The benchmarks depend on the number of logins and the user base size. If you are using manual review, it’s also relevant to consider the number of reviews, how often they catch fraud, and the cost of automated tools. There are plenty of other options to consider, but these are the most relevant ones.
Mobile apps & website protection
We are talking about different channels and environments with different fraud measures to be taken. You have login attempts via the mobile app, browser on desktop, and browser on mobile. Behavioral biometrics are analyzed differently according to the device type, and behavioral analytics can be collected from a larger pool of data when users log in on mobile devices.
You set the level of difficulty for fraudsters depending on the fraud trends you usually detect. You can block taking screenshots from apps, the use of RATs while in session, and the use of VPNs. Yet you have to make sure you are not affecting UX when being too cautious, especially with mobile-first users.
We go back to device fingerprinting and behavioral biometrics as key elements to solve the challenge, and consider a mobile-native solution with specific risk signals if you have traffic from mobile, and if your goals involve mobile engagement growth.
The bottom line
To sum up, here’s what you need to consider to address the above challenges.
- fine-tune your rules to challenge only the riskiest activities and to reduce false positives
- implement detection methods like behavioral analytics, and device fingerprinting
- improve communication and support for affected users
- streamline account recovery processes to minimize user inconvenience
- consider constantly updating machine learning models if dealing with a growing user base that runs in thousands or more.
Essentially, the core of our discussion boils down to achieving successful fraud detection by addressing the challenges above. By taking every issue and applying the corresponding solution, you can keep an edge over the most experienced fraudsters. It’s like assembling the perfect squad: fraud intelligence, behavioral analytics, automated tools, flexible rules-based engine, and machine learning, if necessary.