Select Page
Why Bots Are the Next Big Thing in Account Takeover Fraud

Why Bots Are the Next Big Thing in Account Takeover Fraud

Andreas Wuchner

Account takeover fraud may sound like a familiar term in cybersecurity, yet its prevention methods in the e-commerce domain are still nuanced.

Retailers are historically concerned with payment fraud systems related to chargebacks. This happens when a customer makes a purchase online with a credit card and then requests a refund from the issuing bank despite receiving the ordered goods or services. Better known as friendly fraud, this type of fraud makes it difficult for retailers to distinguish between trustworthy customers and fraudsters. Due to low-security infrastructures on e-commerce platforms, this risk for account takeover becomes increasingly high.

At the same time, trustworthy customers are frustrated with lengthy verification processes and the risk of stolen credentials due to account takeover fraud. As customers expect convenience with their online shopping experience, they are continuously asked to jump through multiple security hoops to prove their identity and intentions.

What Is Account Takeover Fraud in E-commerce?

Traditional account takeover

Account takeover is a form of identity theft and fraud. It happens when someone gains control over an account by using the customer’s credentials and makes unauthorized transactions on their behalf. This includes accounts that one has with their bank, email, credit card, and essentially any online website account. For example, customers can be targeted through phishing, malware scams, and spyware schemes. Other methods include purchasing stolen passwords, personal information, or security codes from cybercriminals. Audits of the dark web have uncovered that more than 15 billion account credentials are sitting in the cybercriminal marketplaces (rising by 300% since 2018). (https://resources.digitalshadows.com/whitepapers-and-reports/from-exposure-to-takeover)

Once the cybercriminal has control over the account, they can purchase items on the e-commerce site, withdraw funds, change credentials of the account, and similarly gain access to other accounts of that specific customer.

The costs are directly borne by the customer, but retailers similarly lose revenue and reputation for having vulnerable security as customers choose competitors with more reliable online platforms.

Modern bots

Today, hackers release bots that can be programmed using machine learning to perform thousands or millions of account takeover attack attempts per minute. According to Gartner (2021), credential stuffing attacks (that enable account takeover) are one of the four leading types of malicious bot attacks experienced in e-commerce. The easy access to stolen credentials (through the dark web), as well as users’ apathy to secure passwords, has created a “business opportunity” for hackers. As a result, there is a surge of malicious bots and account takeovers. Regardless of the size or industry of the e-commerce platform, all websites are exposed to such attacks if left unprotected.

Step-by-step: How modern account takeover happens

These are the steps that usually happen during an account takeover:

  1. Hackers purchase thousands or millions of account credentials from the dark web.
  2. Using machine learning, they program the bots to attack endpoints of websites using the user accounts, thousands or millions per minute. Examples of endpoints include login, cart, and payment.
  3. The bots test all the login credential combinations (known as “credential stuffing”).
  4. Where successful, the hackers access accounts with the working credentials.
  5. Personal data is collected and exploited by making payments, purchasing gift cards, loyalty points, and taking advantage of anything else possible on the account.

Even if the bots are initially detected, the sophistication of these bots means that 30% of them will automatically change their IP address to remain undetected. Besides rotating their IPs, they can stay hidden by simulating actual browsers, mimic human behavior, or hide in user sessions. This highlights the importance of cybersecurity tools on e-commerce sites to specifically address bots that have become increasingly sophisticated.

How E-commerce Retailers Experience Losses Due to Bots

According to research done by Riskified (2021), more than a quarter of e-commerce retailers are not equipped or prepared to handle account takeover attacks. The result is that 2 out of 3 online customers walk away from e-commerce retailers and look for alternative options after experiencing an account takeover. Similarly, with the increase of e-commerce following the pandemic, fraud followed suit. In the U.S., account takeover fraud saw 43% of all fraud attempts, making it the top three fraud cases among online retailers in 2020. Reports have also shown that account takeover fraud rose by 378% since the beginning of the pandemic. Based on research from Juniper (2020), $17 billion was lost in e-commerce due to fraud in 2020 alone. Further, they predict that this number will exceed $25 billion in three years, making it a significant concern for online e-commerce platforms.

All this to say, account takeover fraud through bots is adding friction to the customer experience on e-commerce platforms as retailers fail to address both security and convenience for their shoppers, resulting in both customer and revenue loss.

Real-case examples of bot attacks

One case of an account takeover attack saw hackers releasing 5.7 million requests over two days to perform a credential stuffing attack. The bots rotated through 250,000 different IP addresses, 8,000 autonomous systems, and 215 countries. This highlights that traditional account security methods are out of date, and online retailers need to enhance their security to address bot attacks if they want to stay competitive.

Another case addressing fraud in e-commerce similarly saw an account takeover attack peak at approximately 1,500 attack attempts per second. The bot traffic can be seen below in red, whereas green showcases the legitimate ones.

[Graph from Perimeterx showcasing account takeover attack] (https://www.perimeterx.com/downloads/whitepapers/PerimeterX-Whitepaper-Five-Major-Threats-to-Holiday-E-commerce.pdf)

Clearly over 90% of attempts are malicious. Also, thanks to the thousands of IP addresses used by the bots, they achieved an 8% success rate in the attack, resulting in stolen customer credentials and revenue loss to the retailer.

3 Things E-commerce Retailers Can Do To Fight the Bots

1 Implement bot detection technologies to alleviate the burden on human customers

E-commerce retailers try to respond to bot attacks with various methods that have been proven unsatisfactory. For example, many retailers use CAPTCHA requirements for customers or other ways asking customers to “prove their humanity” and jump through hoops at every step. For example, in the CAPTCHA, users need to interpret an image with letters and numbers mashed together, or select images that contain a certain attribute. However, studies by Gartner (2021) show that these types of methods can and are repeatedly beaten by determined attacker bots or by cloud-based analysis tools.

Additionally, such prevention methods are poor, as (https://www.gartner.com/document/4003160?ref=solrAll&refval=303836448) CAPTCHA images saw a 50% abandonment rate by users, especially on mobile, meaning 50% of customers do not even proceed to enter the online platform.

E-commerce platforms should focus on moving the separation of bot from human analysis to the background and reduce the need for tests of humanity for a user. Consequently, it allows for loyalty, engagement, and trust between customers and the online business to increase.

2 Analyze behavior of trustworthy customers to increase trust

By implementing behavioral analysis technologies retailers can observe users’ activity in the online space. This includes anything from timing and placement of their mouse, mouse-clicking, typing behavior, scrolling, and swipe patterns on mobile devices. For high-volume e-commerce retailers with frequent user interaction, this can be a method to design a behavioral norm for a specific customer. Thus any deviation from ‘the norm’ can indicate fraudulent behavior.

This is especially helpful for e-commerce retailers, as their platforms (along with retail banks and popular gaming sites) usually experience frequent user interactions where such data can be compiled and compared. Each interaction can be questioned with “Is this a human or a machine?” and then “Is this a known or unknown behavior of the customer?” allowing for a segmentation for known (low-risk) and unknown (moderate-risk) users. In fact, 98% of human customers are indeed legitimate and should be trusted.

The majority of human users have positive intentions when dealing with online business. Therefore, to avoid distrusting your customers, such behavioral analysis can help to increase security without sacrificing on customer experience.

3 Implement adaptive authentication: low-risk versus high-risk activity

Adaptive authentication is a way to deploy two-factor or multi-factor authentication. It selects specific authentication factors based on the customer’s tendencies and risk profile, and thus adapts authentication methods based on the situation.

There are two main benefits to such an approach. On the one hand, users experience a seamless interaction while shopping online. On the other hand, the online retailer can evaluate and analyze information by distinguishing between trustworthy customers and fraudulent bots. This is done without revealing the risk-mitigating strategies to the fraudsters. Where a bot acting as a trustworthy customer may have shown normal human behavior at login or the start of the online activity, a strategically placed authentication gate will help to block transactions or activity when they become high risk (such as making payments). However, during low-risk activity (such as browsing the online store, adding items to the cart, and checking notifications), authentication measures can be more lenient to avoid disrupting the user experience. For every high-risk event or for all high-value assets, there is an adequate protection measure in place while remaining invisible to the user. As a result, high security is coupled with a seamless customer experience.

RELATED POSTS

Stagehand: S1 Episode 8

Stagehand: S1 Episode 8

Carl Timmons was given 24 hours to decide what he wanted to do. This was a tactic. Twenty four hours to sit alone and think about all the money he could want and the price he’d pay for it. And 24 hours to also contemplate what Andre Savin might do to him before...

Stagehand: S1 Episode 7

Stagehand: S1 Episode 7

Andre Savin and Lincoln Palmer had met on several occasions and had the type of relationship you’d expect between two men of their standings on the billionaire scale. Contemptuous but also understanding. They were both driven by the same desire—access to...

Stagehand: S1 Episode 6

Stagehand: S1 Episode 6

Belfast, New York - 1889 They called him The Boston Strong Boy—arguably the first real boxing star and one of the highest paid athletes of his time.  He’d always been good at school. He attended Boston College where his parents thought he might pursue...

What Is Zero Trust Anyway?

What Is Zero Trust Anyway?

About three minutes into planning this post, I had one of those “god, I am old” moments. Here is why I had the moment. I have worked in cybersecurity since 1994. My first job was at a big 3 working for the U.S. government through one of the world’s...

Stagehand: S1 Episode 5

Stagehand: S1 Episode 5

Kuwait, 1990 I’m launched out of a submarine a few miles off the coast of Kuwait City. When I swim to shore, I quickly change into my dry land clothes—a full burka. I was a six-foot-one Marine posing as a good Muslim woman. The catch, beneath the modest...

Ransomware: When Policy Matters Most

Ransomware: When Policy Matters Most

Most CISOs divide their approach to cyber defense into three pillars: people, technology, and processes. These pillars define a cybersecurity program’s defensive architecture and arsenal, available assets, and policies and procedures that together inform...

Selling to a CISO? Practice Empathy, Not Salesmanship

Selling to a CISO? Practice Empathy, Not Salesmanship

The cyber security marketplace is hot. Ask any candidate for a cybersecurity role. Better yet, ask any supplier to CISOs. The supplier audience is especially vast, and it’s continuing to grow. Just three years ago, there were estimated to be less than 2,000...

The Risk of Measuring Risk

The Risk of Measuring Risk

Automated measuring of control effectiveness is a very good idea conceptually. When you can combine control gaps with relevant threat information, you get a very good picture about the actual technical cyber risks your business faces. If done correctly, it provides...

Stagehand: S1 Episode 4

Stagehand: S1 Episode 4

Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...

SecOps Needs More Democratization, Not Less SOC

SecOps Needs More Democratization, Not Less SOC

An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an...

Measuring a Cyber Awareness Culture

Measuring a Cyber Awareness Culture

Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...

Good Enough Isn’t Good Enough Anymore

Good Enough Isn’t Good Enough Anymore

The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability.  In light of these increasing challenges, our cyber defenses...

Stagehand: S1 Episode 3

Stagehand: S1 Episode 3

Cyprus ~ 2006 Ali Hassan was a low-level operative in Hezbollah, but we had it on solid authority that he knew where three high-level leaders of the terrorist organization were hiding. Keith arrived fifty-seven hours into Hassan’s interrogation and by the looks of it,...

Mitre Disrupting Advanced Persistent Threats
Share This