How do you safely restore customer access after an account takeover?

When a fraudster gains access to a genuine account, this is known as account takeover (ATO), and it carries serious risks for online merchants.

Ravelin's latest survey of the online fraud landscape revealed that merchants rate account takeovers as the second worst type of attack against their business. Meanwhile, ATO attacks have increased against 51.5% of merchants, with up to 20.2% of merchants reporting a significant increase in ATO activity.

Online merchants are being hit with multiple high-impact ATO attacks every month, with certain industries suffering at least one significant attack every week.

The widespread nature of ATO means hundreds or thousands of accounts could be impacted in a single attack.

Losing high volumes of accounts is bad for a merchant, but it’s also bad for the customer if they lose access to an account they have built up over months or even years. What's more, it is likely to negatively affect customer loyalty and brand image.

Customers want to reclaim control of their stolen accounts

After an account breach, genuine customers don’t want to have to start from scratch with a new account and lose all their previous order information, favourites or loyalty points.

Plus, if this is the only option available, merchants are at risk of losing a loyal customer to a competitor with a smoother sign-up process – or potentially losing out by offering new sign-up discounts and bonuses to existing customers, which might be bordering on promo abuse.

This is why we have ensured you can identify reclaimed accounts in Ravelin. Using the Dashboard, you can send us data to let us know that a customer account has been reclaimed.

This will display on the customer profile and show the date of the reclaim.

When you have confirmed that an attack has impacted a genuine customer, we recommend that you also ask the customer to change their password immediately or force a password reset on the account.

Once the password has been changed and the account is fully secure, you can mark the account as reclaimed.

We strongly recommend that you only enable account reclaims when you are 100% sure that the fraudster has lost access to the account.

How reclaimed accounts work

When you mark an account as reclaimed, the system will know and take into consideration that there was a period during which this account was not controlled by its legitimate owner.

This way, the real account owner will not be penalized for actions the fraudster took when they had control of their account, while the activity of the genuine customer themselves will continue to be monitored, as will the security of the reclaimed account.

In practice, a reclaim will:

1. Remove the customer from the ATO network in our link analysis graph network, Connect, so that the good customer does not remain in the bad network.
2. Reset the rule conditions and features associated with that customer, so that the legitimate customer doesn't get blocked by rules or by a model based on behavior or attributes that were observed during the attack.

In other words, the ATO detection model will be able to tell that this account is now back with its legitimate owner.

At the same time, Ravelin will retain all this data, including activity that happened before the reclaim. This means that our models will still take into account genuine customer activity from before the attack.

As a result, you don’t lose the benefit of using data collected from the customer’s genuine orders and past behavior on your platform.

How do reclaimed accounts impact network link analysis?

Our graph database, Connect, allows you to quickly spot fraudulent networks through visually representing connections between customers, payment methods, addresses and more.

Here’s an example of an ATO network.

In Connect, when an account is reclaimed, we reset the network connections around the customer in question.

We remove all connections with the account from before the reclaim date. However, these connections will be rebuilt after the reclaim if the customer reuses a device, email or card.

This means that a genuine customer will no longer appear to be in a fraudulent network once they have securely reclaimed their account.

Here's another example. Above, one device has been used to access four accounts (ZM, XT, YG and VM). ZM has been identified as a fraudster.

After the fraud team restored access of account VM to its genuine owner and ensured the fraudster can no longer access it, they have marked the account as a reclaimed account.

You can see a small round arrow on top of the VM circle, indicating visually that this account has been reclaimed and handed back to its rightful owner.

Please get in touch to learn more about our ATO solutions.

Further resources

• Webinar video on-demand: Account takeover insights with Shawn Colpitts
• Case study: Food marketplace reduces ATO by 95% with Ravelin
• Account security solutions
• Ravelin Insights: Account Takeover Fraud