Looking back at the holiday season, merchants faced a timeless struggle: stopping fraudsters. While dealing with fraud is a challenge year-round, the holiday season makes it even more difficult. In November and December, people shop more to prepare for the holidays, causing eCommerce volumes to rise. Aware of the uptick in volume, criminals launch attacks, trying to take advantage of merchants who are struggling to keep up with all the traffic. A common fraud vector used by criminals year around is account takeover. This is when the fraudster gains access to a user’s account, often by using stolen login information or through a brute strength bot attack. In either case, once a criminal gains access to an account, they’re able to steal more personal information, money, and goods. A recent estimate found that merchants sustained $13 billion in losses due to account takeovers in 2018, said Tim Sloane, VP of Payments Innovation at Mercator Advisory Group. “And that’s likely to get worse as criminals become more active and smarter in the way they operate, using sophisticated tools to perpetrate their crimes,” he cautioned. To learn more about the types of account takeover attacks and how companies can fight back, PaymentsJournal sat down with Robert Capps, VP of Market Innovation at NuData, and Mercator Advisory Group’s Tim Sloane. PaymentsJournalThe Architecture of an Attack: NuData Breaks Down Account Takeover AttacksPaymentsJournal The Architecture of an Attack: NuData Breaks Down Account Takeover AttacksPaymentsJournaljQuery(document).ready(function ($){var settings_ap37205890 = { design_skin: "skin-wave" ,autoplay: "off",disable_volume:"default" ,loop:"off" ,cue: "on" ,embedded: "off" ,preload_method:"metadata" ,design_animateplaypause:"off" ,skinwave_dynamicwaves:"off" ,skinwave_enableSpectrum:"off" ,skinwave_enableReflect:"on",settings_backup_type:"full",playfrom:"default",soundcloud_apikey:"" ,skinwave_comments_enable:"off",settings_php_handler:window.ajaxurl,skinwave_wave_mode:"canvas",pcm_data_try_to_generate: "on","pcm_notice": "off","notice_no_media": "on",design_color_bg: "111111",design_color_highlight: "ef6b13",skinwave_wave_mode_canvas_waves_number: "3",skinwave_wave_mode_canvas_waves_padding: "1",skinwave_wave_mode_canvas_reflection_size: "0.25",skinwave_comments_playerid:"37205890",php_retriever:"https://www.paymentsjournal.com/wp-content/plugins/dzs-zoomsounds/soundcloudretriever.php" }; try{ dzsap_init(".ap_idx_83806_2",settings_ap37205890); }catch(err){ console.warn("cannot init player", err); } }); During the conversation, Capps and Sloane discussed the differences between basic and sophisticated account takeover attacks, described the commonalities of sophisticated attacks, and reviewed some relevant use cases. Basic versus sophisticated account takeover attempts Before explaining the difference between basic and sophisticated account takeovers, Capps provided a stark warning: It’s safe to assume that nearly every consumer in the United State has had their data stolen in some way, shape, or form over the past five to ten years. Sloane noted that it’s easy for criminals to buy and sell the personally identifiable information (PII) of consumers on the dark web, a fact made possible by the numerous data breaches occurring each year. With vast amounts of PII floating around on the internet, “it’s only a matter of time before that data is used to attempt to login to any valid account,” said Capps.