SCA’s Success Pushes Account Takeover Fraud to New Heights

Although the application of Strong Customer Authentication (SCA) is still in its infancy, it is already clear that the more robust identity requirements better protect online payment against fraudsters looking to commit card fraud. payments.

And while this is unquestionably good news, one of SCA’s key performance indicators is definitely bad news. Frustrated with SCA, fraudsters are looking elsewhere in the online shopping journey for vulnerabilities. And so it is that account takeover fraud is experiencing a revival and a period of rapid growth.

Account takeover is very much what it sounds like. Fraud rings compromise a consumer’s account with stolen or assumed login credentials and take over anything valuable associated with the account. In the first half of the year, these attacks increased by 229%, according to global e-commerce data from Signifyd.

The reasons why ATO is thriving are many and not surprising. Fraudsters are entrepreneurs. Like any entrepreneur, they constantly seek new opportunities and adapt with agility to changing market conditions.

SCA was a key change, making checkout fraud more difficult. Even before SCA was enforced, the number of valuable consumer accounts ripe for attack was growing. With the cost of digital advertising – and therefore the cost of acquiring customers – steadily rising, brands realized they could better retain the customers they had by encouraging them to open accounts online.

Retailers offered perks, perks, and loyalty points to customers who wanted to create an account on their sites. At the same time, poor consumer security habits have played into the hands of fraudsters. The typical consumer has dozens, if not hundreds, of online accounts, many of which are rarely used or long forgotten. Poll after poll reveals that consumers frequently reuse their passwords on the Internet.

Once a fraud ring has a consumer’s login credentials – either after stealing them or buying them in bulk on the dark web – they can create bot-driven programs to try the credentials on the website. post site in quick succession. Fraudsters then take control of the accounts they managed to breach.

Once in the account, the fraud ring can change email addresses and shipping and billing information. He has access to loyalty points which the ring is free to use to his financial advantage. Most importantly, from the criminals’ perspective, he has access to payment information (i.e. a credit card) that he knows is valid and approved by the relevant merchant.

Account takeover saves fraud from having to test batches of stolen credit cards to see which ones are valid. They know the credentials are valid and valuable on the dark web, where they can choose to sell them. Or they can get to work using Stored Payment Methods to purchase products – focusing on SCA-exempt transactions – at no cost to themselves and have those items shipped to wherever they want for resale.

Requisitioning an account has other advantages in the age of SCA. Once in an account, fraud rings have access to loyalty points that can be converted to cash at select retailers. The stolen account may also contain digital gift cards, which are liquid assets that the fraud ring can email wherever it sees fit.

Obviously, all these scenarios are a disaster for both the consumer and the merchant. The consumer loses valuable points accumulated over months or years and faces the trauma and inconvenience of having their credit card compromised. The merchant faces the cost of fraud and suffers severe damage to their brand reputation and the lifetime value of the customer they were looking to improve by promoting the accounts online in the first place.

The ATO will almost certainly continue to grow in the era of SCA, as the system provides criminals with another source of income and allows them to assume the identities of their victims. Retailers will need to consider more sophisticated fraud defenses that protect accounts while ensuring that good customers are not turned away due to friction during the account creation process or the shopping experience itself. .

Retailers will want to take a holistic approach to the entire purchase journey to disrupt a variety of fraudulent attacks at different stages. A fraud protection platform that understands the identity and intent behind every online interaction provides comprehensive protection.

Having an overview, a complete platform can detect account takeover and block a transaction from that account at the time of payment. That said, here are some steps retailers can take to navigate the fraud landscape that has been reshaped by the SCA application:

Complete a shortlist of trade protection platforms by researching customer reviews and asking industry peers for recommendations.
Study the opinions of industry analysts (there are many) and consider a consultation.
Consider the size and breadth of the vendors’ merchant network to determine the wealth of information each can offer.
Don’t stop at the current state. Explore vendor product roadmaps. Which vendor’s future vision matches your company’s vision? Which showed that it can deliver the promised products timely.
And while you can’t rely on your gut alone, don’t neglect it entirely either.

Early assessments of SCA’s anti-fraud power are encouraging. It’s now up to retailers to consider the entire buying journey to ensure they don’t spoil SCA’s early success.