SCA’s success is pushing account takeover fraud to new heights


By Ed Whitehead, Signifyd managing director, Europe. 

While strong customer authentication (SCA) enforcement is still in its early days, it’s already clear that the more robust identity requirements are better protecting e-commerce checkout from fraudsters looking to commit payments fraud.

And while that’s indisputably good news, one of the key indicators of SCA’s effectiveness is certainly bad news. Frustrated by SCA, fraudsters are looking elsewhere along the online shopping journey for vulnerabilities. And so it is that account takeover fraud is in the midst of a revival and a period of rapid growth.

Account takeover is very much what it sounds like. Fraud rings compromise a consumer’s account with stolen or surmised log-in credentials and take charge of everything valuable associated with the account. In the first half of the year, such attacks grew 229%, according to Signifyd’s global e-commece data. 

The reasons ATO is flourishing are several and not surprising. Fraudsters are entrepreneurs. Like any entrepreneur, they constantly seek new opportunities and agilely adjust to changing market conditions.

SCA was a key change, making fraud at checkout more difficult. Even before SCA enforcement, though, the number of valuable consumer accounts ripe for attack was growing. With the cost of digital advertising — and therefore the cost of customer acquisition — rising steadily, brands realised they could better hold onto the customers they had by encouraging them to open online accounts. 

Retailers offered convenience, perks and loyalty points to customers willing to set up an account on their sites. Meantime, poor security habits among consumers played into fraudsters' hands. The typical consumer has dozens, if not hundreds, of online accounts, many rarely-used or long-forgotten. Survey after survey reveals that consumers frequently reuse their passwords across the internet.

Once a fraud ring has a consumer’s log-in credentials — either after stealing them or buying them in batches from the dark web — it can create bot-driven programs to try the credentials on site after site in rapid succession. Fraudsters then seize control of the accounts they successfully breach. 

Once in the account, the fraud ring can alter email addresses and shipping and billing information. It has access to loyalty points that the ring is free to use to its financial advantage. And best of all from the criminals’ vantage point, it has access to payment information (i.e. a credit card) that it knows is valid and trusted by the merchant involved.

Account takeover saves the fraud ring the trouble of having to test batches of stolen credit cards to see which are valid. They know the credentials are valid and valuable on the dark web, where they can choose to sell them. Or they can get right to work using the stored payment methods to buy products — focusing on transactions exempt from SCA — at no cost to themselves and have those items shipped wherever they like for resale. 

Commandeering an account holds other advantages in the SCA era. Once in an account, fraud rings have access to loyalty points that can be converted to cash at some retailers. The stolen account might also contain digital gift cards, which are liquid assets that the fraud ring can have emailed anywhere they choose. 

Obviously, all these scenarios are a disaster for both the consumer and the merchant. The consumer loses valuable points built up over months or years and faces the trauma and inconvenience of having their credit cards compromised. The merchant faces the cost involved in fraud and endures serious damage to its brand reputation and the customer lifetime value it sought to enhance by promoting online accounts in the first place.

ATO will almost certainly continue to grow in the SCA era as the scheme provides criminals with another revenue stream and it allows them to assume the identity of their victims. Retailers will need to consider more sophisticated fraud defences that protect accounts while ensuring that good customers are not being turned away due to friction during the account-creation process or during the shopping experience itself. 

Retailers will want to take a holistic approach to the entire shopping journey to disrupt a variety of fraud attacks at different stages. A fraud protection platform that understands the identity and intent behind each online interaction provides comprehensive protection.

Having the big picture, a comprehensive platform can detect account takeover and block a transaction from that account at the checkout stage. That said, here are a few steps retailers can take to navigate the fraud landscape that’s been reshaped by the enforcement of SCA: 

  • Round up a shortlist of commerce protection platforms by researching customer reviews and asking industry peers for recommendations.
  • Study industry analyst reviews (there are plenty) and consider a consultation.
  • Consider the size and breadth of the providers’ merchant network to determine the richness of the insights each can offer.
  • Don’t stop with the present state. Dig into providers’ product road maps. Which vendor’s future vision aligns with your enterprise’s vision? Which has shown it can deliver the promised products in a timely fashion.
  • And while you can’t rely solely on your gut, don’t discount it entirely, either.

The early reviews of SCA’s fraud-fighting power are encouraging. Now it’s up to retailers to consider the entire shopping journey to ensure they don’t squander SCA’s initial success.

Add a Comment

No messages on this article yet

Editorial: +44 (0)1892 536363
Publisher: +44 (0)208 440 0372
Subscribe FREE to the weekly E-newsletter