Riskified, the payments and fraud-prevention solutions provider, today released a survey on the effect of Account Takeover (ATO) attacks on eCommerce merchants and customers. ATOs happen when a bad actor gains access to a legitimate customer’s eCommerce store account and uses that account for fraud. The survey shows that ATO attacks have a huge negative impact on customers and merchants, damaging brand reputation and hurting merchants’ bottom lines. Despite that, many merchants lack security measures, and more than one in three (35%) of merchants report that at least 10% of their accounts have been taken over in the last 12 months.
Both merchants and customers value secure store accounts. Customers cite their convenience and the opportunity to earn rewards as notable benefits. Merchants report that account holders shop more often and spend more per purchase than other customers.
But accounts can also increase risk if they are not properly secured. Sixty-six percent of merchants and 69% of customers say they are concerned about their accounts getting hacked. Purchases made using compromised store accounts are hard for merchants to detect, because they look like they are made by legitimate returning customers. ATOs are also very costly for merchants. When fraudsters use compromised accounts to make fraudulent purchases, not only does the merchant lose the revenue and the value of the goods sold, but it also often suffers serious damage to its brand reputation and diminished customer lifetime value.
65% of customers say they would likely stop buying from a merchant if their account was compromised. More than half (54%) of customers say they would delete their account, 39% would go to a competitor, and 30% say they would tell their friends to stop shopping with the merchant.
Preventing ATOs presents unique challenges:
Because ATOs require only a login and stolen password, merchants have less data with which to evaluate the action, making detection and prevention difficult. Many merchants are failing to do so:
- More than a quarter of merchants (27%) admit that they do not have measures in place to prevent ATOs.
- 24% of merchants can’t identify an ATO during a purchase.
- 14% of merchants say they are not even aware that an ATO has occurred unless a customer contacts them.
- Only 7.5% of customers learn their accounts were compromised from the merchant. The vast majority spot changes to their accounts or learn of unauthorized purchases.
Merchants that take steps to reduce ATOs risk hurting the customer experience. The most common approach to prevent ATOs is two-factor authentication for login attempts (62%), which can frustrate legitimate customers and increase cart abandonment. Many merchants also require complex passwords to increase security, with (73%) reporting that account passwords must contain a mix of characters, numbers, symbols and uppercase and lowercase letters. This can help security, but it also increases friction and does little for customers who reuse passwords, meaning that store accounts are at risk through data breaches on other sites. That’s a real concern, as 47% of customers admit to using the same password for two or more online stores.
Embracing advanced technology may offer a solution:
Because of their potential for serious financial and reputational harm – combined with the difficulty in detection – merchants need to use as much available data as possible to avoid ATOs. For example, merchants should look at the device and network details, proxy usage and previous logins to determine if the entity attempting to access the account is the rightful owner. If the device or network is unfamiliar or exhibiting characteristics consistent with fraudsters, merchants should exercise caution by notifying the account owner or applying two-factor authentication.
Merchants also need to recognize that the account takeover isn’t the end goal. Fraudsters use ATOs to then place fraudulent orders, and merchants have the advantage of seeing that whole process. An unfamiliar login or a change of details might seem suspicious initially, but if the cart that reaches checkout is low risk, then merchants can likely safely approve the order. Similarly, if a safe-looking account event is followed by a chargeback, then merchants should take another look at the account activity and, likely, prompt the customer to change their password. When merchants ensure that these parts of the shopping journey – and the teams and solutions that manage them – are coordinated, they can decrease risk and increase revenue.
“Our survey shows that merchants are aware of and concerned with ATO attacks, but they usually lack the ability to identify and prevent them,” said Assaf Feldman, Riskified’s cofounder and chief technical officer. “Without a dynamic approach that evaluates all relevant data, merchants risk significant financial losses, frustrated customers and damaged brand reputations. Advanced machine-learning solutions can instantly recognize legitimate customers and ease their path to checkout. Suspicious actions can be verified or blocked to minimize damage. By doing so, merchants maximize revenue while giving their customers a great experience.”
Additional key findings from the survey include:
Accounts are an important shopping tool for customers:
- 83% of customers say they have accounts on individual sites for shopping.
- 75% do most or all of their online shopping with merchants where they have accounts.
- 42% said they shop more frequently when they have an account.
Merchants get a significant portion of their business from customers with accounts:
- More than 67% of the merchants surveyed say at least half of their orders come from customers with accounts.
- 58% of merchants report that account holders spend more per purchase than customers who use guest checkout.
- 61% say that account holders purchase more frequently than customers who use guest checkout.