searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Newsletters
  • (IN)SECURE Magazine

Featured news

  • Retail and hospitality sector fixing software flaws at a faster rate than others
  • Organizations struggle to maintain application security across platforms
  • Financial institutions must prepare for increased risk of financial crime
  • 3GPP standards enrich LTE and 5G with network architecture enhancements
  • Bugs in Signal, other video chat apps allowed attackers to listen in on users
Help Net Security
Help Net Security
October 6, 2020
Share

As ATO attacks surge, consumers expect merchants to protect them from fraud

Attempted account takeover (ATO) attacks swelled 282 percent between Q2 2019 to Q2 2020, Sift reveals. Likewise, ATO rates for physical ecommerce businesses — those that sell physical goods online —jumped 378 percent since the start of the COVID-19 pandemic, indicating that fraudsters are leaning heavily on this attack vector in order to steal payment information and rewards points stored in online accounts on merchant websites.

ATO attacks

According to Deloitte, ecommerce sales are forecasted to grow 25-35 percent and are expected to generate $182 billion and $196 billion this season.

When combined with the surge in ATO rates, the 2020 holiday shopping season presents the perfect opportunity for fraudsters to leverage account takeovers to take advantage of more people shopping online. This can have a devastating impact on companies including financial repercussions and brand abandonment.

Account hacking leads to brand abandonment

According to the research, ATO attacks also create significant and lasting brand damage. Based on a survey of 1,000 U.S. adult consumers, 28 percent of respondents would completely stop using a site or service if their accounts on that site were hacked.

And while consumers can secure their accounts by leveraging tools like password managers, multi-factor authentication (MFA), and by using unique passwords, they largely ignore these best practices. In fact, 66 percent of consumers surveyed either don’t use any type of password manager or aren’t sure if they do, despite 52 percent of them having concerns about becoming victims of ATO in the future, and 25 percent reporting that they have already had their accounts hacked at least once before.

Additional findings

  • Attacks are fueled by automation: Between Q2 2019 and Q2 2020, ATO attacks happened in discrete waves about a week apart, indicating that fraudsters are turning to bots and automation in order to overwhelm trust & safety teams.
  • Fraudsters sneak in and cash out: Of those who have experienced ATO, 41 percent of respondents reported that payment details were stolen and used to make purchases, and 37 percent of victims had money taken directly from their accounts. Another 37 percent had rewards points or credits taken and used to buy goods and services.
  • Ecommerce is in the crosshairs: Of consumers who confirmed being victims of ATO attacks, a whopping 61 percent said their ecommerce (both physical and digital goods and services) accounts were hacked.
  • Other online destinations on which consumers reported experiencing ATO include:
    • Social media sites: 36 percent
    • Financial services sites: 35 percent
    • Online dating sites: 22 percent
    • Travel sites: 19 percent

ATO attacks for financial gain

Like payment fraud and content abuse—two of the other links in the fraud supply chain – account takeover is typically a means to a financial end.

Using credentials either illicitly purchased on the dark web or obtained through techniques like credential stuffing, hackers gain access to user accounts on a business’s website and then make purchases on that website using stored payment information or rewards points. Attackers may also export the stored information in order to commit fraud across the web.

While consumers may be the immediate victim of these attacks, businesses ultimately face the real costs: in addition to reimbursing hacked customers, businesses face exorbitant chargeback fees and payment network fines when ATO leads to payment fraud.

ATO attacks

Customer security as customer experience

“Businesses have been forced to adapt to an immediate shift in consumer behavior since the beginning of the global pandemic. Unfortunately, fraudsters have too,” said Jason Tan, CEO of Sift.

“The surge in ATO attacks indicates that merchants can’t leave the burden of account security to their customers. Rather, companies should treat account protection as part of the overall customer experience and as a key part of their Digital Trust & Safety strategy, which allows for seamless transactions while preventing fraud.”

More about
  • account hijacking
  • account protection
  • cyberattack
  • cybersecurity
  • data
  • e-commerce
  • fraud
  • Sift
  • survey
  • trends
Share this
healthcare

Bolstering healthcare IT against growing security threats

  • Retail and hospitality sector fixing software flaws at a faster rate than others
  • Ransomware provides the perfect cover
Bugs in Signal, other video chat apps allowed attackers to listen in on users

What's new

week in review

Week in review: Active Directory security, Dnsmasq vulnerabilities, how to select a fraud detection solution

bug

Retail and hospitality sector fixing software flaws at a faster rate than others

cloud

Organizations struggle to maintain application security across platforms

healthcare

Bolstering healthcare IT against growing security threats

Don't miss

healthcare

Bolstering healthcare IT against growing security threats

bug

Retail and hospitality sector fixing software flaws at a faster rate than others

eavesdropping

Bugs in Signal, other video chat apps allowed attackers to listen in on users

ransomware

Ransomware provides the perfect cover

money

Financial institutions can strengthen cybersecurity with SWIFT’s CSCF v2021

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Newsletters
  • Twitter

In case you’ve missed it

  • How do I select a fraud detection solution for my business?
  • Securing the connected home: A joint task for homeowners and their ISP
  • Cybersecurity sales: Do you have what it takes to succeed?
  • How do I select a data control solution for my business?

(IN)SECURE Magazine ISSUE 67 (November 2020)

  • Hardware security: Emerging attacks and protection mechanisms
  • Justifying your 2021 cybersecurity budget
  • Cooking up secure code: A foolproof recipe for open source
  • Mapping the motives of insider threats
Read online
© Copyright 1998-2021 by Help Net Security
Read our privacy policy | About us | Advertise