Search Icon
Back to Blog

Account takeover (ATO) attacks continue to be a painful problem according to Aite-Novarica’s February Market Trends in Fraud, 2022 and Beyond report. ATO is a painful problem that continues to cause consternation for organizations that run the gamut from financial services to e-commerce. If you are moving something of value, the fraudsters want to make an illicit profit from it.

In addition to potential fraud losses, these attacks are a major concern for all digital enterprises because their impact erodes customer trust and damages brand value, both of which are hard to earn back. While some may feel like sitting ducks, waiting for an ATO attack to happen, many are applying proven use cases to strengthen their organizations and prevent fraud-related damage.

Fraud professionals and industry analysts recognize that there is no ATO cure-all for this complex issue. Compromised credentials continue to be a problem, even after deploying multi-factor authentication (MFA). The optimal strategy is a layered approach to countering takeover attempts.

A key element of that defense is deflecting fraudsters at account opening and then validating profile changes or high-value transactions throughout the account lifecycle. The Socure ID+ family in general, and Socure Sigma Device combined with the Socure Phone RiskScore, Email RiskScore and Address RiskScore offerings in particular, are essential tools in your kit of ATO countermeasures to passively stop fraud and maintain an optimal customer experience. Below are some of the common use cases applied by Socure customers.

Account Profile Changes

Customers regularly change phone numbers and email addresses, but fraudsters can compromise credentials and redirect traffic to their own email or phone destination. Before accepting a change, many organizations validate the risk of the phone number, email address, or mailing address as well as checking that the data is correlated with the presented identity. This validates the identity to stop potential ATO attacks.

Validating OTP Destinations

One Time Passcodes (OTPs) are codes that are valid for only one login session or transaction. An OTP is usually sent via SMS to a mobile phone or to a destination email address, and they are frequently used as part of two-factor authentication (2FA). Validating the risk of the email or phone number destination along with correlating that it corresponds to the expected consumer can mitigate against ATO attempts.

Address Validation for Mailing Credit Cards

Financial institutions (FIs) operate in both digital and physical environments. FIs distribute credit cards and debit cards via the postal service to reach consumers, and fraud rings attempt to redirect and intercept those mailings.

Before they put the envelope with the new card in the mail, most FIs validate the risk of the destination email address and check that it correlates with the expected consumer identity. Such checks can validate that the destination is a residential address rather than a commercial address or a jail and can also correlate that the destination physical address correlates with the consumer identity.

Address Validation for High Value Goods Shipments

Fraudsters follow the Willie Sutton strategy. Willie Sutton, a notorious bank robber, was reputedly asked why he robbed banks, and responded, “Because that is where the money is.” Fraud rings trying to make a buck frequently focus on high value goods. Ecommerce merchants countering fraud in high-value transactions can validate the risk of physical delivery addresses along with the correlation between that address and the consumer identity to minimize the possibility of fraud.

Loyalty Fraud & Rewards Points Redemption

Rewards points redemptions happen in diverse industries from airlines to hotels to retail with gift cards. Loyalty fraud occurs when a person exploits or abuses your program for personal gain or criminal activity.

Gartner research in 2019 referenced 48 trillion points are unspent globally with a value of $160 billion in the U.S. alone. Organizations can validate point redemptions/transfers by calling call risk services to validate that personally identifiable information (PII) and device data is consistent with a good transaction prior to an account payout.

Honing Your ATO Mitigation Strategy?

ATO is a painful and persistent problem that damages brand reputation and causes big fraud losses. Socure Sigma Device along with Socure Email, Phone, and Address RiskScore offerings can protect against ATO while maintaining the optimal customer experience by passively evaluating risk and correlation associated with identity elements like email addresses, phone numbers and physical addresses.

To learn more about best practices in countering ATO or to speak with one of our fraud experts, please give us a shout today.

Todd Thiemann
Posted by

Todd Thiemann

Todd Thiemann

Todd is Senior Director for Product Marketing at Socure, where he manages marketing for Socure’s Fraud suite of offerings. Prior to Socure, Todd worked in cybersecurity and identity at companies including Arctic Wolf Networks, Nok Nok Labs, Vormetric/Thales, and Trend Micro.