While account takeover is a major concern for financial institutions and merchants, many underestimate the cost as well as the frequency of attacks, says a report released Thursday by Arkose Labs, a San Francisco-based provider of fraud-prevention technology.
Indeed, one of the costliest aspects of account takeovers is the loss of customers whose accounts have been compromised. About half of the companies polled said they had lost customers over the past year due to account-takeover attacks, and 90% of all businesses surveyed agreed takeovers adversely impacted the user experience, which in turn damaged their brand reputation. In the case of the latter, it is not uncommon for affected consumers to use social media to publicly call out the company that holds their account.
“And if the attacks are in a great enough volume and compromise a lot of data, it could lead to negative [press] and public relations,” Lizzie Clitheroe, head of product marketing for Arkose Labs says by email.
Other costs include refunding customers the funds pilfered from their accounts; resetting passwords, which runs about $70 per account; increased manual reviews; and manual tuning of fraud-detection systems. “It is not a simple thing to quantify like payment fraud,” says Clitheroe.
Of the ways in which consumers are impacted by account takeovers, 40% of respondents cited compromised credentials, 32% cited transaction fraud, 14% cited stolen payment details, 8% cited loss of funds, and 3% cited time spent to reclaim their accounts.
Arkose surveyed 100 IT executives at U.S. companies in more than a dozen industries ranging in size from 1,000 employees to more than 10,000.
In addition to brand damage, account takeovers also draw the attention of regulators. Increased scrutiny typically leads to greater compliance costs and burdens on internal teams to tighten cybersecurity.
“Account takeovers cause compliance concerns, especially for highly regulated industries such as financial services. Regulators will start asking difficult questions and keeping closer scrutiny on companies that fail to protect user accounts,” says Clitheroe. “With the increase in ATOs, credential stuffing, and rising sophistication of attacks, businesses need to be more vigilant in detecting the nuances and full impact of ATOs.”
Despite the growing concerns about account takeovers, businesses are not in complete agreement about which department should be shouldering the responsibility for guarding against them. While the majority of respondents say that responsibility falls into the realm of information security, other companies place responsibility on the fraud, engineering, or product departments.
Of companies with more than 10,000 employees, 55% say the responsibility for account takeovers falls on the information-security department, 29% say it is the fraud department’s responsibility, and 14% say it is the responsibility of the engineering department.
Ways in which businesses can prevent account takeovers include monitoring all login traffic and classifying the risk profile based on real-time behavioral signals. “Targeted friction, which is reserved only for higher-risk activity, is very effective at making it more difficult and time-consuming for fraudsters to launch ATO attacks, which will deter future attempts,” says Clitheroe.