Nice Try, ATO: Use Customers’ Devices to Transparently Enhance Account Security
•
1 like•147 views
iovation has seen a 220% increase in reported e-commerce account takeover (ATO) attacks over the last 12 months. Why the big jump? Fraudsters have become more sophisticated in their attack methods. They are using social engineering, bots, and phishing attacks, to name a few methods. With this alarming increase in ATO, e-commerce companies are more vulnerable than ever to damaging customer relationships, destroying brand reputation and did we mention chargebacks? What is the solution? How can you stop and prevent ATO? Join Angie White, e-commerce fraud expert at iovation, as she deconstructs the rise of ATO and the impacts on your business. She will dive into why device reputation matters and how implementing a customer-friendly authentication solution is key to a successful fraud-prevention strategy. Key takeaways: -The impacts of ATO on the e-commerce industry -ATO attack methods and trends -How to prevent and stop ATO -How to balance customer experience with fraud prevention
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Nice Try, ATO: Use Customers’ Devices to Transparently Enhance Account Security
Similar to Nice Try, ATO: Use Customers’ Devices to Transparently Enhance Account Security (20)
More from TransUnion
More from TransUnion (20)
Recently uploaded
Recently uploaded (20)
Nice Try, ATO: Use Customers’ Devices to Transparently Enhance Account Security
- 1. Angie White, Product Marketing Manager November / 2018 How E-Commerce Providers Can Remove ATO from Their Carts
- 2. 2 Account Takeover (ATO) When a legitimate customer’s account is illegally accessed for the purposes of committing fraud
- 3. 3 0 1000 2000 3000 4000 5000 6000 Aug-17 Oct-17 Dec-17 Feb-18 Apr-18 Jun-18 Aug-18 iovation ATO Reports 220% CONFIRMED E-COMMERCE ATO REPORTS
- 4. 4 33% 23% 44% Desktop Sales Mobile Web App-Based Source: Criteo’s Q4 2017 commerce report E-COMMERCE TRANSACTIONS BY CHANNEL
- 5. 5 IMPACTS OF ATO ON E -COMMERCE Loss of brand reputation Regulatory non-compliance Damage to customer relationships Cost of lost goods and chargebacks
- 6. The cost of ATO fraud tripled last year, reaching an estimated $5.1 billion in the U.S. 1 Identity theft victims hit 16.7 million in 2017. 6 Fraud isn’t Just a Business Problem. It’s a Customer Experience Problem E-commerce chargebacks due to fraud are expected to reach $30 billion by 2020. 3 False declines are valued at $118 billion per year. 2 Consumers spend 16 hours on average resolving issues after their account is taken over. 4 44% of shoppers said they will never buy from a retailer again after a data breach. 5 Business Impact Consumer Impact Source: 1 2017 SalesCycle Report ; ² MasterCard targets rising number of false declines; 3 TotalRetail 5 Ways E-Commerce Merchants Can Combat Identity Fraud; 4 Javelin 2018 Identity Fraud: Fraud Enters a New Era of Complexity; 5 TransUnion 2018 Retail Consumer Survey Insights; 6 2018 Identity Fraud Study, Javelin Strategy & Research
- 7. 7 ATO ATTACK METHODS Phishing Attacks Credential Stuffing Social Engineering Malware, Bots, Spyware Data breaches were up 45% in 2017 Source: Identity Theft Resource Center 2017 Annual Data Breach Year End Review SIM Swapping
- 8. 906 1070 1261 1429 1470 1899 2115 2176 2664 3141 3050 321 446 656 498 662 421 471 614 783 780 1091 0 200 400 600 800 1000 1200 1400 1600 1800 0 500 1000 1500 2000 2500 3000 3500 Data Breaches and Consumer Complaints of ID Theft & Fraud Source: 1Federal Trade Commission, Consumer Sentinel Network Databook Jan-Dec 2016 2Identity Theft Resource Center Data Breaches2 Consumer Complaints1 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
- 9. 9 SYMPTOMS OF AN ATO ATTACK Use of VPNs or proxy servers Using an older browser or operating system Geolocation mismatches High velocity of login attempts from one device Changing account details such as ship to address
- 10. 10 REAL COST OF AN ATO ATTACK 2,500ACCOUNTS $75K WAGES $$$ BRAND REPUTATION 5,000 MAN HOURS TO REPAIR O n e D e v i c e $5,000 CHARGEBACK S Source: iovation Customer Case Study
- 12. 12 COMPETING NEEDS • Less friction overall • Better customer experiences • More immediate access • Reduce cart abandonments, and grow revenue PRODUCT, CX & APP OWNERS • Reduce attack surface • Assurance on ID and access • Leverage existing capabilities, infrastructure • Real-time threat and risk indicators FRAUD & SECURITY TEAMS
- 13. 13 Baymard estimates that 28% of carts were abandoned because of a checkout process that was too long/complicated.”
- 14. 14 CONVERSION RATES 0% 2% 4% 6% 8% 10% 12% 14% Median Top 25% Top 10% Source: WordStream conversion rate analysis
- 15. 16 v Or this much assurance?Do you need this much assurance? Σ Risk mitigation by authentication challenges = (Probability of compromise) x (impact)
- 16. Match Grant Access No Match or Risk Signals Account-to- Device Pairing & Risk Evaluation Persistent Session Token Login User Access Customer Access Login Device Registration SUCCESS Step-Up *** DEVICE-BASED AUTHENTICATION ***
- 17. 18 ATO Case Study Attack Method Social engineering through dating sites Business Losses • Thousands in lost merchandise • Payment chargebacks • Lost revenue from service cancellations • First attempted auth solution resulted in increased call center volume and complaints Benefits • Stopped account takeovers • Improved login experience increased customer satisfaction • Reduced call center volume
- 18. 19 DEVICE-BASED AUTHENTICATION Transparent and Frictionless • SIMPLIFY access for good users • LOWER barriers to usage • IMPROVE customer experience Context and Risk • UNDERSTAND context around device • SEE risk indications before it’s too late • DETECT attempts to evade recognition or mask identity Adaptive and Dynamic • DYNAMICALLY react to changes in risk • DELIVER the right level of assurance • MINIMIZE account takeovers
- 19. 20 s U N I F I E D , S I M P L I F I E D A N D P E R S O N A L I Z E D M F A F O R A N Y M O B I L E A P P LAUNCHKEY
- 20. 21 LAUNCHKEY A U T H O R I Z A T I O N C A P A B I L I T I E S Real-time authorization Single-party or multi-party Web or call center offline workflows
- 21. 22 MFA BENEFITS Simple, Unified Experience • UNIFY experience across all touchpoints • REDUCE friction from multiple experiences • IMPROVE usability with every login Secure by Design • REMOVE credential stores that can be compromised and exfiltrated • LOCK DOWN with top grade cryptography • ALIGN with standards like OAuth and OpenID Customizable for Any App • WHITE-LABEL functionality • BUILD FAST with APIs for any platform • CHOOSE from a number of interactive or passive authentication options
- 22. 23 COMBATING ATO Automated Screening: Relying on the Right Set of Tools Use the device as the 2nd Factor of authentication and challenge only when necessary Give Customers Confidence to Purchase Provide the account protection that customers demand without adding friction Working with Peers to Stop Known Threats A shared intelligence source to stop known fraud across industries and geographies Importance of Protecting Against Account Takeover Recognise and assess risks currently unseen at device level in real-time
- 23. Q&A
Editor's Notes
- Thank you Wendy, and thank you to everyone for joining us today. We appreciate you taking the time, I know this is a really busy time of year for most. This is a really interesting topic. Account takeover isn’t a new phenomenon, it’s been around for years but it’s rapid increase in e-commerce is newer. So today we’re going to look at what are some of the drivers of this increase. How do criminals infiltrate accounts and what can you do to better protect customers without degrading the shopping experience.
- Before we do that, let’s just level set on the definition of account takeover, or ATO. Account takeover is when a known, good customers account is breached for the purposes of committing fraud. Account takeover, as I said before, is not a new phenomenon, this is something online banks, credit issuers and even gaming sites have dealt with for years, but it historically hadn’t been a large problem in e-commerce. Until recently.
- We were hearing from a number of our retail customers that this was a growing problem for them, so we looked at confirmed fraud reports for account takeover in e-commerce from August 2017 to August 2018. In that period we saw a 220% increase.
- So why the big increase? To begin with Retailers are moving away from guest checkout, adding persistent accounts and dedicated apps to meet rising customer expectations. This brings a lot of benefits, allowing retailers to expedite the checkout process and gives more identity assurance. It also had the unintended consequence of opening the the door for account takeover. Recent report found that Retailers that have both mobile sites and apps are seeing, on average, two-thirds of their online sales coming from mobile devices, 44% in-app and 23% from mobile web and the remaining 33% from desktop. It also found that conversion rates are 3x higher for mobile apps than mobile Web. With such high conversion rates, you’ll likely see that more retailers are going to be launching dedicated apps. Creating a new target for cybercriminals. Source: https://marketingland.com/retailers-shopping-apps-now-see-majority-e-commerce-sales-mobile-234931
- The impacts of ATO reach far beyond just the cost of the lost good and chargebacks. It can cause lasting damage to customer relationships, loss of brand reputation with current and future customers and could also put you into non-compliance with many new regulations such as the GDPR and PSD2.
- Let’s dig into some of the costs of ATO both from a business and customer perspective. I think one of the most interesting points is that it take consumers an average of 16 hours to resolve issues after their account is taken over. That’s a lot of time for busy shoppers to have to devote to proving that they’re not a criminal. Which is why it’s not surprising that 44% of shoppers said they would never buy from a retailer again after a data breach. You need solutions that simultaneously: Increase security Establish confidence Provide outstanding online experiences 55% of respondents said additional identity validation requirements during the checkout process is viewed positively and makes them more likely to continue their purchase.
- At least 16 separate security breaches occurred at retailers from January 2017 until now. Many of them were caused by flaws in payment systems, either online or in stores. - https://www.businessinsider.com/data-breaches-2018-4 Data breaches were up 45% in 2017, with the flood of stolen credentials and personal data available on the dark web fraudsters are using that data to perpetrate ATO through a variety of tactics. Credential Stuffing - According to Verizon’s 2017 Data Breach Investigations report the number of data breaches involving stolen or weak passwords has gone from 50 per cent to 66 per cent to 81 per cent during the past three years. This alarming trend clearly illustrates that today’s security isn’t working. Source: https://www.cso.com.au/mediareleases/29642/hacked-passwords-cause-81-of-data-breaches/ Social Engineering - Case study on ATO: https://drive.google.com/file/d/1G4C0IqUSTUsIm4oYLk0plsqPbMy7SB7P/view?ts=5b906058 SIM Swapping – Recent
- As you can see there is a very close correlation between rising consumer complaints about fraud and ID theft and data breaches
- 2500 accounts accessed from a single device Those 2500 accounts had made us 50k in revenue before the attempted compromise If those accounts had been compromised 1 account to process emails and return to its "original state" and keep the customer happy equaled 2 hours of work 2 hours of work x 15/hour = $30 $30 x 2500 accounts = $75,000 We would have received chargebacks and lost revenue had we been unable to stop the attacks even if we returned the accounts back to their "original" state Brand Reputation - In terms of customer trust lost and brand damage, ATO can be a nightmare for companies. Collectively, victims spent 20.7 million hours resolving ATOs in 2016, according to data from Javelin Strategy & Research.
- You’re challenge is stopping ATO without deteriorating the customer experience and thus increasing cart abandonments.
- WordStream’s conversion rate analysis gives an overall conversion rate of 2.35%. However, the top 25% of companies convert at 5.31% and the top 10% at 11.45%.
- Visit rate is # of visits per month. There’s only a 17% difference between an average retailer and retailers in the top 20%. Highlights the importance of a customer experience.
- In a well designed system you can incorporate risk signals to tailor the level of authentication to the riskiness of the transaction. So for instance if a customer is logging in from a known device and just wants to view their balance, that’s a low risk transaction. But if the same customer want logs in from a new, unknown device and wants to transfer $10,000 out of their account; that’s a much riskier transaction. This is why risk insight is so important. Not only will it allow you to apply the right level of authentication based on risk-insight, it’ll also help you create a better user experience.
- Device based authentication isn’t reliant on personal data that has likely been breached, and is very low friction for customers. Refer back to case study
- Stops fraud in real-time based on context, behavior, location Device, account, and fraud reports across subscriber and industry Global view of fraud Search & reporting for assisting with fraud forensics After initial integration, fraud rules can be easily modified without additional coding
- MFA used three factors: Knowledge factor – something you know, i.e. a password, the PIN for your ATM or a knowledge based question Possession Factor – something you have Inherence – Something you ARE, i.e. facial recognition, my thumbprint, the way heartbeat Do you want to have to manage these different factors within different systems, or would you rather drive all authentication through one fully configurable experience We’re still missing a piece with all of this, the customer. So how can we make this all easier on the customer?
- ATO occurs when a fraudster exploits a customer’s personal information, stored with a merchant, to take control of an existing account or establish a new one, and then uses the account to make unauthorized transactions. Look for retailer with recurring or subscription payment. Automation Finding the right tools to automatically screen for fraud is key to achieve the right balance among minimizing losses, maximizing revenues, and controlling costs. Businesses can lower their fraud losses by deploying accurate, automated detection, and avoid unnecessary overhead by saving manual review for only the most ambiguous orders. During the automated screening process, a combination of tools—including validation services, proprietary data, multi-merchant data, and device tracking—is typically applied to determine the likelihood of fraud.