The Retailer Winter Edition 2022

THE RE TA I L ER

1 6

THE NEVER-ENDING STORY OF ATO

Ryan Gosling Commercial Director Callsign

A ccount Takeover Fraud is still a fact of life – Ryan Gosling thinks it’s the right time we turned it into fiction. New technologies bring new problems. That’s something that we all know and accept as the price of progress. That acceptance is based on the understanding that somewhere along the line, those problems will be fixed. So it’s somewhat frustrating that one of the oldest and problems ever introduced by technol ogy still persists to this day: Account Takeover Fraud, orATO. And given that it’s costing industry an estimated $26 billion a year, it’s something that desperately needs fixing. Why is ATO still an issue? One reason is the aforementioned march of progress. As soon as new technologies emerge, bad actors are quick to evolve their own tools and techniques to exploit both them and their users. It’s a kind of digital arms race, and one that we are currently losing. Another is that for cyber criminals, it can often be easy. It’s far from uncommon for accounts to be securedwith little more than a username and a password. The ‘little more’ is very often a possession factor, such as an SMS OTP. That’s the equivalent of an open door. Passwords can be bypassed by credential stuffing attacks, or just bought outright. SMSwas not designed with security in mind; and as a result, it’s easily bypassed by techniques such as SIM swap and SS7 attacks. And that’s before we even get into the more advanced approaches that bad actors have at their disposal to gain access to accounts – a wide range of malware, bots, Remote Access Tools (RATs), scripted attacks, as well as social engineering and data scraping techniques to obtain personal details. An open stage for bad actors

Fraud with a high ROI ATO is a very cost-effective attack vector for fraudsters. With so many accounts relying on outdated authentication mechanisms, bad actors find themselves able to plunder high value accounts with minimal effort. And any type of account is potentially prof itable. A rapidly evolving trend is attacks on loyalty accounts. It may come as a surprise to learn that the value of unspent loyalty points is estimated to be in the region of hundreds of billions of dollars, but when you consider that those points may be used for discounts on big ticket items or even first class flights, it’s easy to see how it all adds up. A cost beyond just revenue It isn’t a simple case of high profits for bad actors translating into high costs for businesses and their customers. It’s a fraud vector that cuts far deeper. For certain, the revenue impact for businesses is massive – $26bn isn’t exactly small change. For the actual victims, every single instance of fraud is traumatic at the very least, and ruinous at worst. It’s one of the reasons that ATO is in the headlines on a daily basis – fraud victims can and will take to social media or talk to the press about their dissatisfaction. That can result in reputational damage that’s even more severe than any financial losses for an organization. Customer trust is a fragile thing, and ATO can shatter it. In fact, 45% of consumers stated that they lose trust in a business even if it’s just mentioned in a scam message. ATO is also firmly on the radar of the authorities and regulators, with massive fines far from unusual. In 2021 GDPR fines saw a 600% rise, to over €1.1bn in total. And there’s there are the downstream costs that outmoded authentication methods incur. As well as being expensive to operate, methods such as SMS OTP add undue friction to the user journey. And in a world where the password reset has become the new login, it’s not only incredibly risky to rely on just passwords and OTPs for account access, both are contributing factors to cart abandonment.

Closing the chapter on ATO Taken as a whole, the collateral effects of ATO read like a bad novel. It’s uncomfortable reading: no businesswants to be told that its security can be cracked, or that its revenue and reputation is at risk. But unless action is taken, that’s the way things are going to remain. The good news is that there are defences against ATO, steps that organisations can take to protect themselves and their customers. The clearest and most obvious is to address any shortfalls around authentication and account access. Introducing additional factors is a step in the right direction, but those factors need to pro vide security. Relying on SMS OTPs for 2FA isn’t the answer. As well as being easy to bypass it puts a business in the dangerous position of authenticating in a channel that bad actors routinely use to scam their victims. The real solution is to move away from just replicating analogue authentication journeys. Digital transactions in a digital world need digital authentication. That means adopting a layered intelligence approach such as Callsign, which considers factors ranging from Muscle Memory Technology – Callsign’s advanced behavioural biometrics –with device and threat information. This not only vastly improves account security, it represents an important paradigm shift from trying to detect fraud signals to looking to positively identify genuine users. By doing so, businesses can hugely reduce the obstacles to speedy payments, and also cut the high costs of additional step-ups and false positives. All of this is achievable. ATOmay be a problem today; but it’s within all of our grasps to see it relegated to the history section.

Ryan Gosling ryan.gosling@callsign.com www.callsign.com