Ai Editorial: How safe are ecosystems such as Amazon and Alibaba from the threat of ATO?

First Published on 21st June, 2018

Ai Editorial: What makes account takeover an even bigger threat for organizations is that an increasing number of enterprises are building online ecosystems, as well as branching into different services beyond their initial product offering, writes Ai’s Ritesh Gupta

 

The recent media reports pertaining to Amazon accounts getting hacked is a disturbing development. Considering how many consumers and the extent to which they rely on these ecosystems, the threat of fraud and its implications on various stakeholders involved needs to be assessed.

A plenty is at stake since a single platform can be used to access multiple services.  

If we considering an ecosystem such as Tencent’s WeChat, the Chinese company has gone beyond primary services of messaging and social networking over the years. Mobile wallet, bill pay, P2P transfers, merchant services, ticketing, insurance, wealth management and mutual fund management are among the services that WeChat is associated with. Similarly, the likes of Amazon and Alibaba, too, are proving to be a lucrative option for fraudsters as a single account on the black market can give fraudsters access to a treasure trove of data, including multiple stored payment methods, bank account information, usernames and passwords. In fact, as highlighted by Sift Science, in May this year, an Amazon customer became a casualty as she found in her email statement related to shopping of goods that she hadn’t bought. The amount totaled $1,640 in total purchases. As it turned out, a fraudster had gained access to her account without her permission and eventually Amazon (not a pleasant experience for customer and the reputation took a beating) suffered due to this account takeover (ATO) attempt.  

What makes account takeover an even bigger threat for organizations is that an increasing number of enterprises are building online ecosystems, as well as branching into different services beyond their initial product offering. A case in point is the growth in mobile payment systems, which fraudsters can easily exploit by adding stolen credit cards or making unauthorized transfers of credits from compromised accounts. With a growing connectivity of data, fraudsters can have unparalleled access to multiple services with just one single account. A case to examine is Amazon, where one single account may be used to access multiple services including Amazon Prime, Alexa, cloud storage, music streaming and more. Plus, the company is already expanding and introducing different services. For e. g. Amazon uses Amazon Pay as a virtual wallet system to be used within the app.

“With a growing connectivity of data in a world of frictionless payments, Amazon is at risk of various fraud scenarios such as having unauthorized transfers of Amazon Pay credits from compromised accounts,” says Justin Lie, CashShield’s CEO. “Once a single account is compromised, it would be difficult to have damage control on all possible endpoints that could benefit the fraudster. For instance, the fraudster could have access to the card-on-file to make purchases, or have access to the user’s information, or worse, in the case of IoT (e.g. Alexa), spy on the users in their homes.”

Dealing with vulnerability 

Fraudsters no longer only make unauthorized payments with stolen credit cards, but are also carrying out promo abuse with the creation of multiple accounts, making unauthorized transfer of funds, and making unauthorized top up of credits.

One way to safeguard such accounts includes a two-step verification, requiring users to fill in a security code whenever they access an account from a new device. Currently, fraud protection for accounts are still far behind, especially compared to the systems designed to secure payments. Most enterprises rely on static verification measures such as two-factor authentication (2FA) and multi-factor authentication (MFA), but is easily bypassed by fraudsters (e.g. via SIM hacks or SIM swaps) and creates unnecessary friction for users. Unfortunately, more must be done in terms of ensuring user accounts are secure from fraud. It is pointed out that many merchants struggle between striking a balance between improving security and maximizing user experience, which is difficult if their only known option is to either deploy 2FA/MFA or not. Rather than using a blanket rule that forces every user to login with 2FA, real-time surveillance can be used to assess logins in the background, and only logins with borderline risks expected to go through 2FA. This would greatly improve the user experience on the whole, while ensuring that security for accounts is not taken for granted.

Lie recommends that an end-to-end approach is needed to cover it all - to monitor transactions across multiple channels and devices in real time, at every stage of the process. From front-end filters detecting fraudulent logins to machine automation preventing fraudulent purchases and chargebacks through illegitimate account takeovers, these ecosystems must consider deploying sophisticated end-to-end solutions that can cover their bases.

It is time that ecosystems and even other companies make rapid progress since account takeover is indeed occurring more frequently - according to the 2018 Javelin Strategy & Research Report, account takeovers tripled in 2017, which resulted in $5.1 billion in associated losses.

When data breaches occur, consumers have no control. Yet when it comes to account takeovers, customers are told to play an active role in prevention by being vigilant and having complex passwords, even though a data breach would leak all passwords, no matter how complex it is. Lie says it is up to the merchant’s end to adopt stricter security protocols in storing and encrypting their data, to minimize the damage in case of a data breach. Considering that it is impossible to build the perfect defense, merchants could also aim to mitigate the damage done by ensuring that the stolen data cannot be used. One way to achieve this is to deploy real-time active surveillance on every login to filter out potential threats and prevent attackers from gaining unauthorized access to accounts.

 

Hear from airlines and other industry executives about ATO at the upcoming 7th Annual Airline & Travel Payments Summit (ATPS), co-hosted with UATP, (4- 6 September 2018 in Phuket, Thailand).

For more click here

Follow Ai on Twitter: @Ai_Connects_Us