Looking back at the holiday season, merchants faced a
timeless struggle: stopping fraudsters. While dealing with fraud is a challenge
year-round, the holiday season makes it even more difficult.

In November and December, people shop more to prepare for
the holidays, causing eCommerce volumes to rise. Aware of the uptick in volume,
criminals launch attacks, trying to take advantage of merchants who are
struggling to keep up with all the traffic.

A common fraud vector used by criminals year around is
account takeover. This is when the fraudster gains access to a user’s account,
often by using stolen login information or through a brute strength bot attack.
In either case, once a criminal gains access to an account, they’re able to steal
more personal information, money, and goods.

A recent estimate found that merchants sustained $13 billion
in losses due to account takeovers in 2018, said Tim Sloane, VP of Payments
Innovation at Mercator Advisory Group.

“And that’s likely to get worse as criminals become more
active and smarter in the way they operate, using sophisticated tools to
perpetrate their crimes,” he cautioned.

To learn more about the types of account takeover attacks
and how companies can fight back, PaymentsJournal sat down with Robert Capps,
VP of Market Innovation at NuData, and Mercator Advisory Group’s Tim Sloane.

PaymentsJournalThe Architecture of an Attack: NuData Breaks Down Account Takeover AttacksPaymentsJournal The Architecture of an Attack: NuData Breaks Down Account Takeover AttacksPaymentsJournaljQuery(document).ready(function ($){var settings_ap37205890 = { design_skin: "skin-wave" ,autoplay: "off",disable_volume:"default" ,loop:"off" ,cue: "on" ,embedded: "off" ,preload_method:"metadata" ,design_animateplaypause:"off" ,skinwave_dynamicwaves:"off" ,skinwave_enableSpectrum:"off" ,skinwave_enableReflect:"on",settings_backup_type:"full",playfrom:"default",soundcloud_apikey:"" ,skinwave_comments_enable:"off",settings_php_handler:window.ajaxurl,skinwave_wave_mode:"canvas",pcm_data_try_to_generate: "on","pcm_notice": "off","notice_no_media": "on",design_color_bg: "111111",design_color_highlight: "ef6b13",skinwave_wave_mode_canvas_waves_number: "3",skinwave_wave_mode_canvas_waves_padding: "1",skinwave_wave_mode_canvas_reflection_size: "0.25",skinwave_comments_playerid:"37205890",php_retriever:"https://www.paymentsjournal.com/wp-content/plugins/dzs-zoomsounds/soundcloudretriever.php" }; try{ dzsap_init(".ap_idx_83806_2",settings_ap37205890); }catch(err){ console.warn("cannot init player", err); } });

During the conversation, Capps and Sloane discussed the
differences between basic and sophisticated account takeover attacks, described
the commonalities of sophisticated attacks, and reviewed some relevant use
cases.

Basic versus
sophisticated account takeover attempts

Before explaining the difference between basic and
sophisticated account takeovers, Capps provided a stark warning: It’s safe to
assume that nearly every consumer in the United State has had their data stolen
in some way, shape, or form over the past five to ten years.

Sloane noted that it’s easy for criminals to buy and sell
the personally identifiable information (PII) of consumers on the dark web, a
fact made possible by the numerous data breaches occurring each year.

With vast amounts of PII floating around on the internet,
“it’s only a matter of time before that data is used to attempt to login to any
valid account,” said Capps.