10 common challenges with account takeover and how to deal with them

Fraudsters still manage to keep up so well with account takeover (ATO) because they have an edge. They don’t have to take care of regulations, managing teams, prioritizing projects, and what not. Where you juggle a vast array of duties they concentrate their efforts on one. 

In light of this reality, to stay ahead of ATO, you need to identify all the implications that come with it. There are plenty of resources that you need to include to create a proper anti-fraud strategy and a lot of challenges to overcome. 

We’ve put together a list of 10 most common challenges that you need to tackle. Let’s dive into each of them to see what you need to do when struggling with various issues in the fight with ATO. 

The performance of your ATO solution is measured according to several metrics such as fraud rate, detection rate, approval rate and precision.

The fraud rate is the percentage of login traffic on your website or app that is detected as fraudulent. Ideally, this should be under 0.1%. The rejection rate is the percentage of legitimate login attempts that are rejected and it corresponds to the approval rate. For example, a high approval rate, let’s say ~99.9%, would indicate a low rejection rate of 0.1%, which also means that only a few legitimate login attempts are blocked. 

The detection rate (also known as recall) is the percentage of fraudulent login attempts that are correctly detected. Precision is the percentage of detected cases that are fraudulent, in other words, the proportion of true positives over false positives.

To increase performance of an ATO fraud prevention model, you need to fine-tune detection rules. Start with a moderate baseline threshold, collect data with legitimate and fraudulent login attempts, test the baseline,constantly adjust the threshold, validate its effectiveness on a separate dataset, and monitor and adapt the threshold to strike the right balance between precision and recall. 

If you rely solely on manual processes, fraud may slip through, or the false positives rate might increase, especially if you experience a high volume of login attempts or account openings. It’s nearly impossible to have access to enough data to detect with high precision enough fraud coming in.

You can leverage machine learning models that provide recommendations and risk assessments, reducing the need for full manual review. Alternatively, if ML is not the best option in your case, you can implement automated rules-based systems that can prioritize manual review by assigning risk scores to login attempts, directing manual efforts toward high-risk ATO cases first. 

The issue here is that fraudsters use dedicated softwares that can spoof the device fingerprint by mimicking elements of the legit users’ hardware and software. Or, through social engineering techniques, fraudsters can get access to the user’s device, thus allowing them to avoid triggering the device fingerprinting detection. Behavioral biometrics is key here. By using data on how users interact with machines through the human-computer interface (HCI), such as keyboards, mouse touchscreens, and others, you cna understand your user typical behavior and detect anomalies.

Developing accurate device fingerprinting is resource-intensive. To make your device fingerprinting tool spoof-resistant, you need extensive data collection and behavioral analysis to complement its performance. 

Once fraudsters gain access to the account, they may try to keep control by changing the password, adding a recovery email or phone number, or modifying security settings. Also, by modifying the 2FA settings, fraudsters can create an additional barrier to account recovery. If they set up 2FA to route to a device they control, it becomes difficult for the legitimate user to prove  their identity and recover the account. 

So what can you do when you ATO hits your users this way? First, make sure that once you’re flagged with ATO, you’re getting in touch with the legit user and not by the fraudsters themselves who’s trying to get even more data. Check historical data for past logins and transactions and match them with the compromised account to confirm the real identity of the user. Rely on what data you already have available, and don’t try asking security questions like mother’s maiden name and the likes. With the way people expose on social media these days,, those questions would rather ease fraudster’s efforts. Then retrieve their email and password. However, if the email address is changed or compromised, you’ll have to aks your users to create a new account. 

Since we can’t talk about login or registration here, technically, there’s no account to be taken over. But, guest checkout fraud and ATO could be intertwined. For example, after using a stolen card for guest checkout fraud, fraudsters might follow up with an account takeover. They can pull this off by getting hold of personal data during the checkout process and using it to hijack the user account on the same or another platform, where they could continue their fraudulent activities.

The issue here is the limited information available, including digital fingerprinting and behavioral data points to analyse, yet you can still leverage device details, IP addresses, and behavioral patterns as well as third-party data enrichment. 

You're making your users do the work for you when you ask them to fill out more than two fields (assuming one is a biometric) at the login stage. While you're securing their experience, you're asking them for just enough information, which means an effort on their part they don't feel they owe you. 

Keeping an optimal balance between convenience and fraud protection requires a risk-based approach, where you can add friction only when needed. And when it comes to authentication, consider either biometrics and behavioral analytics.

Collecting information from industry reports, webinars, and forums is useful, but sometimes, you migh need more in-dept knowledge around evolving threats that is not available on the surface web. You can look into deep web and dark web if you have the means, or consider cybersecurity experts specialized in this particular field. Whether this is necessary, depends on how much fraud comes your way and what new patterns you may discover. 

Also, don’t resort to overly strict rules that could generate a high number of false positives. Consider a versatile combination of attributes related to the email address, geo-location, network, lists of compromised credentials, behavioral data, device type, along with risk signals like the use of VPNs or TOR, very long session without logout (you set the benchmark), new dispatched address, etc. 

With plenty of spoofing tools, fraudsters make it appear as if they are logging in from a device that matches the usual user's profile and you may end up not knowing who’s who. Fraudsters trick the system by altering details such as the device type, OS version, browser type, and the IP address. But, as the saying goes, "fool me once, shame on you; fool me twice, shame on me”, you might tend to become overly cautious, casting suspicion on legit user. You're cutting fraud in its tracks - no ATO, no payment fraud, no chargebacks, no brand reputation and whatnot - but it comes at the expense of your revenue.

To increase precision, we recommend generating a unique fingerprint and cookie for each user at their initial login. Subsequently, gather information on the user's behavior and compare each session with previous ones. This process helps determine whether the individual interacting with the system is a genuine user or a potential fraudster.

The KPIs in this matter are strongly related to the ATO rates mentioned earlier. After all, it’s all about keeping the fraud and false positives rates low and detection rate high. 

Additionally, it’s important to track the balance between reported incidents by customers, and the proactive incidents that are detected by your sytstem. More proactive incidents means your system is doing a good job. The benchmarks depend on the number of logins and the user base size. If you are using manual review, it’s also relevant to consider the number of reviews, and how often they catch fraud, as well as the cost of automated tools. There are plenty of other options to consider, but these are the most relevant ones. 

We are talking about different channels and environments with different fraud measures to be taken. You have login attempts via the mobile app, browser on desktop, and browser on mobile. Behavioral biometrics are analyzed differently according to the device type, and behavioral analytics can be collected from a larger pool of data when users log in on mobile devices.

 You set the level of difficulty for fraudsters depending on the fraud trends you usually detect. You can block taking screenshots from apps, the use of RATs while in session, and the use of VPNs. Yet you have to make sure you are not affecting UX when being too cautious, especially with mobile-first users. 

We go back to device fingerprinting and behavioral biometrics as key elements to solve the challenge, and consider a mobile-native solution with specific risk signals if you have traffic from mobile, and if your goals involve mobile engagement growth. 

To sum up, here’s what you need to consider to address the above challenges.

• fine-tune your rules to challenge only the riskiest activities and to reduce false positives
• implement detection methods like behavioral analytics, and device fingerprinting
• improve communication and support for affected users
• streamline account recovery processes to minimize user inconvenience
• consider constantly updated machine learning models if dealing with a growing user base that runs in thousands or more.

Essentially, the core of our discussion boils down to achieving successful fraud detection by addressing the challenges above. By taking every issue and apply the corresponding solution, you can can keep and edge over the most experienced fraudsters. It’s like assembling the perfect squad: fraud intelligence, behavioral analytics, automated tools, flexible rules-based engine, and machine learning, if necessary.