Merchants need ATO protection at both login and checkout – here's why

In a time when price, convenience and variety are king, the global network of merchants and customers is growing every day, with 5.3 billion users expected to participate in online shopping by 2027.

But there is a dark side to ecommerce. For merchants and customers, partaking in this global market entails the risk of falling victim to account takeover attacks (ATO) – a term that describes fraudsters’ attempts to take over the user accounts of legitimate shoppers.

In this article, we’ll explore the role of ATO checkpoints protection, both at the login and checkout stage of the customer journey. We’ll also demonstrate why a combined approach that involves both is required to effectively protect customer data and your bottom line.

What makes account takeovers a challenge?

ATO attacks can be very sophisticated and, even with the right tools, there are many factors that make them challenging to detect and prevent. Threats can come from multiple techniques such as credential stuffing, social engineering and malware.

Professional fraudsters will often seek to blend in with normal patterns of user traffic and customer behavior. Of course, fraudsters continuously experiment with different tactics to discover and exploit vulnerabilities in merchant security and customer behavior to more effectively monetize their attacks.

All of this makes it challenging for merchants to differentiate legitimate users from fraudsters and stay on top of emerging fraud trends.

Contrary to popular belief, ATOs are not simply about the login stage of the customer journey. ATO attacks also have the potential to impact the checkout stage of the customer journey.

This has three major implications:

1. Non-centralized data: The data required to understand, detect and prevent attacks isn’t centralized but scattered across login, pre-auth checkout and post-auth checkout. For fraud managers, consolidating this data is a challenge in itself. This makes ATO hard to identify and tempting to ignore the problem to focus on more straightforward fraud types.
   
   

2. Two attack surfaces: Secondly, both login and checkout require protection. Neglecting login protection entails the risk of breached accounts and compromised data, while ignoring checkout protection means there is no last line of defense to stop fraudsters monetizing attacks that bypass login protection.
   
   

3. Severe consequences: There isn’t a single metric at login or checkout that captures the size and severity of a merchant’s ATO problem. The consequences of ATO are expansive: stolen personally identifiable information (PII), customer churn, increased customer service and marketing costs, brand damage, profit erosion and legal fines. Merchants need to analyze the full customer journey to determine the total cost of ATO for their business. Ignoring any one means you’re underestimating the potential size of the problem, now or in the future.

Ravelin provides ATO protection at two key stages of the customer journey: login and checkout. Each plays a distinct but vital role in preventing ATO attacks.

Let’s explore how each of these stages works, and their respective strengths and limitations.

ATO protection at login: Strengths and limitations

Safeguarding user accounts is the first line of defense against the constant threat of ATO.

The aim of login protection is to detect and prevent unauthorized individuals from gaining access to the accounts of legitimate users. By analyzing a range of key data points including login location, device information, user behavior patterns, and Ravelin’s own data enrichment, a combination of rules and machine learning models work together to identify anomalies that may signal potential ATO activities.

Strengths

The major advantage of ATO protection at login is stopping attacks before they cause any harm. That means a fraudster never gains access to a user's account and has no opportunity to steal PII or monetize the attack. Stopping attacks before they cause harm is the best-case scenario every merchant should aspire to.

ATO protection at this stage is a good response to credential stuffing attacks. Many customers reuse passwords across multiple platforms. This practice provides fraudsters with the ammunition for credential stuffing attacks, with stolen credentials being in automated attacks against public end-points which can belong to different organizations. So, even though your company might not be responsible for a data breach, you can still suffer the consequences if stolen credentials are used to successfully attack your service.

Limitations

Login protection plays a pivotal role in your platform security. But it's important to acknowledge its inherent limitations, because login protection does not guarantee you will never be the target of ATO attacks, nor that they will never be successful.

A key limitation of login protection is the sheer diversity of ATO attack patterns, which aim to exploit weaknesses in even the tightest security systems – especially so the human factor.

ATO protection at login can mitigate the risk of credential stuffing attacks, but it isn’t an impenetrable shield against the full arsenal of ATO threats.

Because exploitation of your users can also manifest as user manipulation – specifically social engineering, where fraudsters manipulate users to willingly divulge sensitive information such as passwords and 2FA passcodes. Unfortunately, additional security measures like 2FA aren’t always foolproof; even the most sophisticated security system can do little to protect users when they fall prey to persuasive tactics and compromise themselves.

Note that there is an opportunity cost to ATO protection at login in the form of increased friction for customers. While more stringent security measures such as MFA and minimal password requirements can thwart potential threats, they may inadvertently create additional hurdles for genuine customers that lead to user frustration.

Striking the right balance between robust security and a seamless user experience is a delicate challenge for every business. But remember that friction itself isn’t bad when applied to the right people – fraudsters. Friction, when applied correctly, plays a key role in preventing the far greater consequences of ATO attacks that include compromised accounts, data breaches, chargebacks, fines and reputational damage.

ATO protection at checkout: Strengths and limitations

If ATO protection at login is the gatekeeper of platform and account security, protection at the checkout checkpoint is the last line of defense against ATO. While login protection focuses on fortifying the point of entry, checkout protection aims to prevent fraudsters placing unauthorized transactions using accounts they have successfully managed to breach.

Strengths

If a fraudster has managed to compromise an account, our first priority ought to be to prevent them monetizing the attack by placing unauthorized orders. Checkout protection can blunt the economic impact of ATO attack by preventing fraudsters from placing orders using saved payment methods. This averts situations where customers raise a dispute and the merchant receives a chargeback. In this sense, ATO checkout protection can reduce the bleeding from an ATO attack.

Because the fraudster has already taken some action on the platform, more data is available for checkout protection to identify potentially fraudulent activity, which can lead to improved recommendation performance. For example, machine learning models can evaluate multiple factors, such as whether contact details were changed post-login, a new delivery address was added, if the customer is ordering from a new location or a new merchant, as well as drawing comparisons with the customer’s historical purchase history.

Limitations

While ATO protection at checkout plays a pivotal role in mitigating the risks associated with fraudulent transactions, there are key limitations which must be acknowledged.

The major limitation is checkout protection only becomes relevant once an account has been compromised. An already compromised account means fraudsters have plenty of opportunity to take advantage. They can modify account details (e.g. email, phone, password), spend account credit or money from saved cards, scrape personal information for exploitation, sell the account on the dark web, or commit identity theft. If this happens, fraudsters have been successful in compromising your defenses and exploiting your customers' data in some way, regardless of whether that occurs on or off your platform. Meanwhile, ATO login protection is intended to protect the accounts from being compromised in the first place.

Another limitation of checkout protection arises when the recommended action is ignored or bypassed by another security layer. For example, a suspicious transaction may be escalated to 3D Secure (3DS) authentication, but if the fraudster has changed the account details or is conducting a social engineering attack, they can still successfully monetize the attack.

Indeed, checkout protection can mitigate the economic impact of an ATO attack. But alone, these defenses are fragile and don’t necessarily prevent determined fraudsters from achieving their goal. In all, the best course of action is to protect your customers’ accounts at both of these key touchpoints.

The case for adopting ATO protection at both login and checkout

As we’ve seen, ATO protection at login and checkout play distinct roles in protecting your customers and business from ATO attacks.

Login protection is the first layer that protects against the bulk of attacks and prevents them from becoming a problem. Checkout protection provides a second chance to thwart attacks that bypass login protection and prevents fraudsters monetizing attacks and merchants incurring financial losses.

When focusing on attack prevention, we must always remember the perpetrators. Fraudsters are creative, determined and continuously adapt their tactics to overcome defenses and discover new vulnerabilities. This contributes to a rapidly changing fraud landscape, where novel and previously unseen attack patterns may evade detection by rules, machine learning models and even customers themselves.

This is why embracing both login and checkout protection is critical. Each layer brings a unique set of strengths that compensates for the limitations of the other.

Combined, they are greater than the sum of their parts and provide the most robust protection against ATO.

It is not a question of whether you should rely on login or checkout protection. Both login and checkout protection should be adopted as part of a multi-layered security approach that is flexible, robust and able to adapt to rapidly evolving fraud patterns.

To explore how end-to-end ATO protection could help your organization, book a call with the Ravelin team today.

Related resources

• Dev docs: Checkpoints

• Six fraud signals to spot account takeover

• Insights: Account takeover fraud

• Webinar: Preventing account takeover

• Why 2FA isn’t a silver bullet for account takeover

• Case study: How did a food marketplace reduce account takeovers by 95%?