What can merchants do to avoid falling victim to large-scale ATO attacks?

Account Takeover (ATO) attacks happen when a bad actor gains access to a legitimate customer’s eCommerce store account and uses that account for fraud.

large-scale ATO attacks

The impact of ATO attacks

A new Riskified survey shows that ATO attacks have a huge negative impact on customers and merchants, damaging brand reputation and hurting merchants’ bottom lines. Despite that, many merchants lack security measures, and 35% of merchants report that at least 10% of their accounts have been taken over in the last 12 months.

Both merchants and customers value secure store accounts. Customers cite their convenience and the opportunity to earn rewards as notable benefits. Merchants report that account holders shop more often and spend more per purchase than other customers.

But accounts can also increase risk if they are not properly secured. Sixty-six percent of merchants and 69% of customers say they are concerned about their accounts getting hacked. Purchases made using compromised store accounts are hard for merchants to detect, because they look like they are made by legitimate returning customers.

ATO attacks are also very costly for merchants. When fraudsters use compromised accounts to make fraudulent purchases, not only does the merchant lose the revenue and the value of the goods sold, but it also often suffers serious damage to its brand reputation and diminished customer lifetime value.

65% of customers say they would likely stop buying from a merchant if their account was compromised. 54% of customers say they would delete their account, 39% would go to a competitor, and 30% say they would tell their friends to stop shopping with the merchant.

Preventing ATOs presents unique challenges

Because ATOs require only a login and stolen password, merchants have less data with which to evaluate the action, making detection and prevention difficult. Many merchants are failing to do so:

  • 27% admit that they do not have measures in place to prevent ATOs.
  • 24% of merchants can’t identify an ATO during a purchase.
  • 14% of merchants say they are not even aware that an ATO has occurred unless a customer contacts them.
  • Only 7.5% of customers learn their accounts were compromised from the merchant. The vast majority spot changes to their accounts or learn of unauthorized purchases.

Merchants that take steps to reduce ATOs risk hurting the customer experience. The most common approach to prevent ATOs is two-factor authentication for login attempts (62%), which can frustrate legitimate customers and increase cart abandonment.

Many merchants also require complex passwords to increase security, with 73% reporting that account passwords must contain a mix of characters, numbers, symbols and uppercase and lowercase letters.

This can help security, but it also increases friction and does little for customers who reuse passwords, meaning that store accounts are at risk through data breaches on other sites. That’s a real concern, as 47% of customers admit to using the same password for two or more online stores.

Embracing advanced technology may offer a solution

Because of their potential for serious financial and reputational harm – combined with the difficulty in detection – merchants need to use as much available data as possible to avoid ATOs. For example, merchants should look at the device and network details, proxy usage and previous logins to determine if the entity attempting to access the account is the rightful owner.

If the device or network is unfamiliar or exhibiting characteristics consistent with fraudsters, merchants should exercise caution by notifying the account owner or applying two-factor authentication.

Merchants also need to recognize that the account takeover isn’t the end goal. Fraudsters use ATO attacks to then place fraudulent orders, and merchants have the advantage of seeing that whole process.

An unfamiliar login or a change of details might seem suspicious initially, but if the cart that reaches checkout is low risk, then merchants can likely safely approve the order.

Similarly, if a safe-looking account event is followed by a chargeback, then merchants should take another look at the account activity and, likely, prompt the customer to change their password. When merchants ensure that these parts of the shopping journey – and the teams and solutions that manage them – are coordinated, they can decrease risk and increase revenue.

“Our survey shows that merchants are aware of and concerned with ATO attacks, but they usually lack the ability to identify and prevent them,” said Assaf Feldman, CTO at Riskified.

“Without a dynamic approach that evaluates all relevant data, merchants risk significant financial losses, frustrated customers and damaged brand reputations. Advanced machine-learning solutions can instantly recognize legitimate customers and ease their path to checkout.

“Suspicious actions can be verified or blocked to minimize damage. By doing so, merchants maximize revenue while giving their customers a great experience.”

The importance of accounts

Accounts are an important shopping tool for customers:

  • 3% of customers say they have accounts on individual sites for shopping.
  • 75% do most or all of their online shopping with merchants where they have accounts.
  • 42% said they shop more frequently when they have an account.

Merchants get a significant portion of their business from customers with accounts:

  • More than 67% of the merchants surveyed say at least half of their orders come from customers with accounts.
  • 58% of merchants report that account holders spend more per purchase than customers who use guest checkout.
  • 61% say that account holders purchase more frequently than customers who use guest checkout.

“Companies can combat lateral phishing threats by adopting advanced security solutions that identify suspicious logins and take actions before breaches can occur. These controls enable businesses to verify users’ identities and enforce measures, such as MFA, which can limit an attacker’s chance of hijacking a corporate email address in the first place. Additionally, all companies can learn that it is essential to have full visibility and control over their customer data in order to prevent a breach. To do so, organizations must implement security solutions that remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information,” said Anurag Kahol, CTO at Bitglass.

Don't miss