Account Takeover

ATO Attacks Severely Harm User Experience and Brand Reputation

April, 9, 20215 min Read

 Account takeover (ATO), attacks, where fraudsters gain unauthorized access to genuine user accounts and abuse them for many criminal activities, have evolved into a thriving 'business' for attackers and a nuisance for companies as they often lack full visibility into the volumes of account takeover attacks they face

Account takeover attacks are among the biggest issues in fraud prevention, and they’re only getting more frequent. Fraudsters commit these attacks to drain funds directly from accounts or use compromised accounts as launchpads for various other crimes—such as money laundering, phishing, and sending out spam. On the other hand, businesses spend time, effort, money, and reputation, trying to clean up the mess.

Lack of visibility

A lack of full visibility into the extent of damage account takeover (ATO) attacks can cause can make them challenging to detect. This lack of visibility is clearly highlighted in the results of a recent Arkose Labs' survey of 100 IT professionals across industries. Nearly 30% of the companies polled reported no increase in ATO attacks in 2020 while half of the companies reported only a slight increase.

This is in stark contrast with the volume of ATO attacks recorded on the Arkose Labs network—a 50% spike over the second half of 2020, and a 90% increase in Q4. This shines the spotlight on the lack of visibility into the volumes of ATO attacks that businesses face.

Businesses face financial and reputational losses

Often, the effects of account takeover attacks are discovered once downstream abuse has been committed and financial losses incurred. In addition to losing millions of dollars every year, account takeover attacks adversely impact user experience—with 90% of the companies agreeing—to cause brand erosion and customer churn. These are rather long-term damages as it takes years of efforts to build a brand and acquire customers.

The Arkose Labs' survey reveals that 5% of the large companies (with over 10,000 employees) reported annual costs exceeding $1 million while 10% of the companies reported losses of between $500,000 and $1 million. However, it is important to note that these losses do not include cleanup costs, application downtime, operational costs, and reimbursements to customers for loss of funds. This means the actual losses are much higher.

Another big concern pertains to regulatory compliances. When fraudsters are able to successfully scale up ATO attacks, affected businesses attract regulatory attention, hefty penalties, and uncomfortable questions regarding the lack of adequate security on their platforms.

Account takeover attacks are pervasive across industries

Although every industry is facing the brunt of account takeover attacks, some of the worst affected include professional services, healthcare, financial institutions, and ecommerce platforms.

Ecommerce firms are obliged to keep user accounts safe as it can harm them through fraudulent transactions, payments fraud, and negative brand reputation, which can, in turn, impact their revenues.

With the most valuable customer data in their possession, financial institutions are a prime target for attackers. They are also the most regulated industry, which means a successful account takeover attack can result in massive fines and greater regulatory measures imposed on them, with the legal and compliance costs adding up to the financial losses. A whopping 94% of financial institutions polled in the Arkose Labs' survey agreed to ATO attacks degrading user experience for their customers.

Who’s job is it?

There is no clear-cut consensus on who, in an organization, is responsible when it comes to fighting fraud—each department believes it is the role of the other department. For instance, while a majority of the respondents in our survey would hold the information security department responsible, there are others who say preventing ATO is the responsibility of the fraud, engineering or product teams. The verdict is also divided according to the size of the company with 55% of the larger companies saying information security should handle ATOs, followed by fraud 29%, and engineering at 14%.

Fighting ATO attempts, however, must be the prerogative of all organizations, regardless of their size, with a dedicated team to handle them centrally. That said, investments in fraud prevention are abysmally low with a majority of companies reported spending 1-5% of their tech budget on fraud and 3% having no dedicated budget at all! This is at a time when the volumes of account takeover attacks are increasing and estimated costs of handling them can add up to 8% of the annual revenue for digital businesses.

Adopt a proactive, zero tolerance to fraud approach

Businesses often take reactive steps to stop account takeover attacks, which include implementing more stringent controls, banning accounts, and classifying higher percentages of traffic as suspicious. These measures, however, disrupt the digital experience for authentic users and often lead to false positives. Therefore, the most viable approach to fighting ATO attacks is to stop the attackers right at the entry gates.

Arkose Labs adopts a zero tolerance to fraud approach which uses friction smartly to ensure authentic users can continue to enjoy seamless user experience, while bad actors are accurately identified and challenged. Based on each user's risk assessment, enforcement challenges are presented. These challenges continually step up in complexity to wear out malicious users and bankrupt the business model of fraud.

To gain further insights into the state of account takeover attacks in your industry, please download a copy of the survey report now.