The Retailer's Playbook for Countering Account Takeover Fraud
Account takeover (ATO) fraud costs businesses and consumers billions. ATOs happen when an unauthorized party accesses an online account. This type of fraud has victimized nearly 30 percent of Americans and caused $13 billion in financial losses in 2023 alone. The damage extends beyond money to reputation and consumer trust.
The ATO threat is growing. Generative artificial intelligence (GenAI) gives fraudsters new tools to execute these attacks, putting pressure on retailers to enhance their protections.
The Growing Threat of ATOs in the AI Era
Over 75 percent of security leaders list ATOs as one of their top four security concerns, and criminals are leveraging AI to make their attacks even more effective.
Fraudsters frequently acquire account information through social engineering and phishing, playing on human emotions to trick someone into sharing sensitive information. GenAI enables bad actors to create more realistic and convincing emails and messages on a larger scale.
Data breaches are another source of stolen credentials. Fraudsters can use AI to quickly create malware or automate large-scale attacks that exploit database weaknesses to gain access to usernames and passwords.
Once they’ve obtained data, attackers can use automated tools like bots for credential stuffing, allowing them to try a huge number of usernames and passwords on many different websites until they find one that works.
Protecting Customers From ATOs
We’ve all heard the advice about creating strong, unique passwords. While password hygiene is important to prevent ATOs, companies ultimately bear the responsibility of protecting their customers. Retailers must take additional steps to safeguard user accounts.
1. Limit login attempts.
Restricting the number of login attempts thwarts credential stuffing by locking the account before the bot can find the right combination.
2. Implement multifactor authentication.
Passwords alone are not sufficient to protect accounts. Retailers must invest in multifactor authentication (MFA), which requires users to provide at least two verification factors to gain account access. Even if a fraudster steals credentials, they typically won’t have access to the second factor, bolstering account security. The second element could come in many forms:
- SMS or email MFA code;
- a security token from an authenticator app;
- a fingerprint; or
- facial recognition.
3. Monitor for suspicious behavior.
Compromised accounts usually exhibit suspicious behavior. Retailers may see unusual login locations, high-value purchases, a large number of orders, frequent address changes, or multiple credit cards used. By monitoring account activity, retailers can implement proactive defense measures to prevent fraud, such as additional authentication measures.
4. Optimize the customer experience.
Retailers must also balance security with customer experience. Too few security measures leave accounts vulnerable, while high-friction experiences can result in abandoned purchases. Assessing the risk level of site visitors allows retailers to create hurdles for suspicious users while clearing the way for trusted customers.
Device intelligence is one approach for risk assessment. This technology assigns each visitor a unique identifier using device characteristics such as operating system, IP address and screen resolution, allowing retailers to recognize repeat users and raise flags for unusual behavior. Device intelligence solutions can automatically verify a customer who logs in from their usual device to provide a seamless user experience, even remembering the user’s preferences and past actions. If the same account logs on from a new device, the platform can prompt them to enter a password before proceeding.
As fraudsters increasingly leverage AI to enhance their tactics, businesses must fortify their defenses. Layering protections lets retailers provide the safe, streamlined experience customers demand.
Dan Pinto is CEO and co-founder of Fingerprint, the world’s most accurate device identifier.
Dan Pinto is CEO and co-founder of Fingerprint and brings over a decade of experience in tech. He began his career in software engineering, where he developed an interest in creating bots, but quickly shifted his focus to entrepreneurship. Dan has founded many small startups, including eBay stores, a tech blog, and even a forum for TV shows.
In 2014, Dan co-founded Machinio, a search engine for used machinery, which was later acquired by NASDAQ:LQDT in 2018. After this success, he co-founded Fingerprint, the world’s most accurate device identifier, which has raised over $77 million since its first funding round in 2020. Fingerprint currently employs over 100 people and is dedicated to solving the complex issue of online fraud.
