ATO

ATO Attacks: What They Are and How to Foil Them

It’s more important than ever for merchants to make sure their customers are returning to make repeat purchases as the e-commerce landscape becomes more saturated. One of the best means for improving customer loyalty is to offer accounts for your online store which customers can use to check out faster, get tailored recommendations and accumulate loyalty points. However, these merchant programs are exactly what account takeover (ATO) attacks seek to exploit.

The damage from ATO attacks is signficant and growing, having more than doubled year over year to $5.1 billion in losses in 2017. ATO attacks are not only hard to detect but can have enormous consequences for merchants beyond chargebacks and stolen goods. Customers often leave their credit card details saved in their store accounts, trusting merchants to guard them. When ATO attacks occur, merchants have to deal with the fallout of having their customer’s credit card details and personally identifiable information (PII) stolen. That’s always looks bad.

How can merchants identify these fraud attempts and stop ATO attacks from negatively impacting their reputation and bottom line? I’ll provide the answer, but first let’s define the problem.

Defining ATO

Whenever a bad actor gains access to another party’s legitimate account, this is called an ATO attack. These attacks occur most commonly as a result of data breaches – cyber criminals hacking into information systems and stealing data.

‘Credential Stuffing’ and ATO

Before stolen credentials can be used in an attack, they need to be verified. We’ve found three primary reasons for this:

  1. Many stolen credentials are outdated – accounts can be closed or users may have changed their passwords since this data was collected.
  2. The hacker wants to check if the credentials they stole will work for other online accounts. For example, a login to someone’s Yahoo account is hard to monetize, but if those same credentials work for an electronics store account, that’s a jackpot.
  3. Credential data can be unclear or disorganized, for instance, a mismatched list of usernames and passwords.

Testing credential validity is extremely tedious work, so hackers use bots – automated software applications – to sift through the loot. The process of using bots to test logins and passwords at extremely high speed is called “credential phishing” or “credential stuffing.”

Once hackers have a bunch of verified credentials, they can either use them themselves or sell them on the darkweb. Typically though, the hackers who pull off data breaches don’t have expertise in performing ATO attacks, and vice versa. Usually the hacker will verify the stolen credentials and then sell them on the darkweb to a fraudster who specializes in ATO attacks. The surprising affordability of this data on the open market is an unnerving testament to its abundance, as well as the efficiency of credential phishing. For example, logins to Paypal accounts with a $500 balance cost only $6.43 and Uber account logins cost under $4 each.

Fraudster ATO Tactics

A fraudster with verified login credentials has countless ways to perpetrate an attack, but there are two primary methods that Riskified has identified:

Mismatched ATO

This is the most common pattern we see in ATO attacks. In these cases, a fraudster obtains account information, but not the associated credit card details. So to carry out the attack they use a stolen card card that belongs to an unrelated person.

This sort of “Frankenfraud” sounds like it should raise merchants’ eyebrows, but in fact these attacks have a high rate of success. Many merchants are unaware of how commonplace ATO attacks are and decide that good login credentials are enough to auto-approve an order. Even when merchants detect something suspicious in one of these orders, they tend to refrain from reaching out to customers to verify their identity, since this could harm the customer experience. Most merchants are worried more about sending the shopper to the competition than about fraud.

In a mismatched ATO attack, fraudsters take advantage of a merchant’s’ apprehension about reaching out to customers. More often than not, it works.

Loyalty fraud

As simple as mismatched ATO attacks are, life can be even easier for a fraudster. If there is already some sort of store credit or rewards cash balance in the compromised account, fraudsters can use it to shop immediately. The most common examples of this are frequent flyer miles or hotel loyalty programs, where it’s quite common for customers to store significant amounts of value in their accounts.

When a fraudster commits loyalty fraud, the merchant is responsible for reimbursing that stolen store credit. The fallout is incredibly embarrassing for a merchant and damaging to their reputation.

Both of these ATO methods, unfortunately, tend to be pretty effective. Traditional fraud detection systems simply aren’t equipped to detect bad actors logging in to good customer’s accounts, sometimes from the customer’s own device. Protecting goods and PII from these type of attacks requires changing the way you think about card-not-present (CNP) fraud.

Detecting and deflecting ATO attacks

One of the critical mistakes merchants make when trying to stop ATOs is to treat them like standard fraud attacks, namely by hoping to catch the fraud and decline the order at checkout.

However, realizing an account has been compromised at checkout isn’t good enough. By that point, personal information could already be compromised, and even in the best case scenario, the owner of the account will need to be informed of the breach so that they can change their login credentials. That’s not a call you want to have to make to your customers!

The only way to avoid damage from ATO attacks is to catch the bad actors when they try to log into the account. This is easier said than done. Catching them at login means you have to process data and make decisions in real-time because legitimate shoppers won’t tolerate more than a second or two of wait time when they try to log in to an e-commerce site. This means that manually reviewing data is not a viable option for preventing ATO attacks.

So what data should you be reviewing at login? Just like at the point-of-sale, your fraud solution should look at the geographic IP address and device the browser is using and compare these to historical data about the customer in real time. Mismatches here shouldn’t automatically lead to blocking the customer, since they could be traveling, or just gotten a new phone. However, in conjunction with other information (like how many attempts it takes to get the password right) mismatches in this kind of data could be a red flag.

Another vital job for your review system at the point of login is bot detection. If you’re able to identify that the user is a bot, based on parameters like keystroke velocity and mobile device orientation sensors, it becomes far more likely that this login is either an ATO attempt or credential phishing.

Though it’s no small task, detecting bots and bad actors is only half the battle. You then have to decide how to act. Some login attempts will be clearly legitimate, others obvious attacks, but then there will be a range of “gray” attempts, which you’ll be unsure about. In these cases, you will have no choice but to deploy a verification measure, like an SMS or email, to try to confirm the user’s identity. Most merchants are justifiably queasy about the prospect of adding friction to the shopping process, but in this gray area there’s simply no choice – the alternative means risking an ATO attack or locking out a good customer.

Learn more about ATO

Determining which log-in attempts to block, allow and verify, is a careful balancing act. Ideally only a narrow range of gray login attempts should lead to users being asked to authenticate their identity, ensuring that most good customers gain access without any additional friction. Building a system to deal with a range of risk scenarios by deploying different types of identity-verifying measures (texts, captcha, emails, email-based login alerts, security questions and so on) is a complex task. For more information about creating a risk-based authentication policy, as well as more in-depth insights about ATO attacks, get a free copy of Riskified’s guide to detecting and preventing ATOs.

Tagged with:
Posted in:
Author: Ronald Praetsch


Managing director and co-founder of About-Fraud. Ronald leverages his extensive experience in payments & fraud to inform the structure and content of the site. Outside of About-Fraud, Ronald consults regularly with merchants, payment service providers and fraud solution vendors. Before About-Fraud, he spent close to a decade in various payments and fraud prevention roles at Sift Science, Fareportal, Booking.com and Pay.On in both Europe and North America.