Key Tips to Prevent ATO Fraud from Happening to Your Business
The chaos caused by fraud is a constant worry for online merchants, and as sales and payments become more mobile, new frontiers have emerged for fraudsters to exploit. The pandemic has only heightened this, as people across the world were obligated to remain indoors and moved their shopping fully online.
Online transactions are predicted to grow 21% in 2021 and will comprise 95% of all payments by 2040, and that’s the good news. However, the bad news is that fraudulent online transactions have continued to accelerate as well, costing businesses billions.
Online fraud takes many shapes, with ‘cyberfraud’ or the theft of digital information, being the most commonly reported. Fraudsters, never missing an opportunity for a quick buck, are working harder than ever to steal customer data to gain access to their accounts and personal information, only for the purpose of committing crimes.
Once customer information is stolen, it can quickly result in account takeover or ATO fraud, whereby cybercriminals use stolen credentials to access one or multiple accounts, which can be significantly more damaging than a stolen credit card or a few fraudulent purchases.
Merchants have an essential responsibility to help protect customer data, but what exactly are businesses to do? In order to secure your customers’ identities and other personal data, start with the following:
Increase customer account protections using multi-level authentication
Mandating multi-factor authentication for any changes to your customer’s personal data is important to combating ATO fraud. While a hacker might have access to a password, their takeover attempt might be stopped if they don’t have access to the matching phone number or email address affiliated with the account.
A few of these tools and practices include:
Address verification services
Confirm email addresses
Phone number verification
Chargeback fraud alerts
Matching billing and shipping addresses
Card verification value (CVV) security codes
Biometric validations like device fingerprinting
Data supervising: Train customers on strict password policies and restrict access to sensitive cardholder data in your system
Work with your IT and product teams to educate customers on employing more advanced password creation techniques, such as using the first letter of every word in a passphrase, augmented with numbers, symbols, etc. In cases where a one-time password (OTP) is used, as part of multi-factor authentication, password reset or otherwise, customers must be alerted to the danger of OTP fraud — it is critical for the OTP to never be shared.
While it may seem like table stakes, securing passwords and ensuring proper autofill use for your customers is one of the most important and simplest means of combating cyberfraud and ATO risk. Surprisingly, the most popular password in 2020 was “123456” and the second-most popular was “123456789.” While your customers’ passwords might not be this easy to guess, most people use some variation of the same password across different accounts. Once they are guessed or stolen, hackers can quickly and easily take over several different accounts, leaving victims to deal with the mess.
Any cardholder or other sensitive data that could lead to ATO fraud should be sufficiently organized and secured within your system, and available within applications that pertain to payments directly.
Get ready for the adoption of Strong Customer Authentication (SCA)
One trend that is worth keeping an eye on is the broader mandate of SCA globally. Kicking off with much of the European Union’s Revised Payment Services Directive (PSD2), the practice is spreading to other countries, which have begun writing their own SCA requirements. American businesses should now get ready to adhere to SCA criteria, not only to stay ahead of the curve, but to accept prudent rules that protect customers, while keeping the checkout process streamlined.
The SCA instructs at least two of the following independent authentication factors to be provided to payment companies when a business attempts a transaction:
Knowledge: a PIN or password that only the customer knows
Possession: a device, such as a mobile phone or tablet, or credit card that only the customer owns
Inherence: something inherent to the customer, such as a personal feature unique to an individual, like fingerprints
For most retailers, keeping a frictionless checkout is necessary in order to minimize cart abandonment. There are a number of companies that offer solutions to help thwart fraud and provide a level of SCA compliance in the background, to help retailers drive the True Cost of Fraud towards zero and still boost sales.
Keeping Customers Protected and Increasing Trust
There are myriad ways to keep your customers protected from account takeovers, from mandating strong data stewardship to different multi-factor authentication systems. Ensuring your customers’ data is safe can not only save your business money, but also improve trust and consumer confidence. Keep these tips in mind to guarantee your business and customers remain protected.
[To share your insights with us, please write to firstname.lastname@example.org]