Cyber criminals step up takeover of payment card accounts

Increasing theft of user names and passwords helps them crack into consumers’ accounts.

Paul Demery

Aite Group found a new cause of concern in the first quarter regarding online payment security when it interviewed online merchants, credit card issuers, payment card associations and others involved in managing online payment transactions.

More than half of merchants in the study said they had witnessed an increase in online fraud, but it wasn’t the result of criminal activity that started with theft of payment account numbers from online databases, Julie Conroy, an analyst at the financial services research and advisory firm, says.

Instead, the study found heightened concern that criminals were becoming more adept at taking over customers’ payment card accounts by initially stealing log-in user names and passwords. “All interviewed merchants that are seeing a higher fraud rate report a big jump in account takeover activity,” Aite says in its study. Conroy adds that the cause appears to be related to database breaches within the past 18 months, such as one earlier this year against the daily-deal site LivingSocial, in which criminals accessed user names and passwords, making it possible to use such credentials to compromise customer accounts on other e-commerce sites.

This trend is exacerbated, Conroy adds, by the tendency of many consumers to use the same user names and passwords for multiple financial accounts, making it easier for criminals to match stolen credentials with account numbers. So even though many online merchants have improved how they secure account numbers under the PCI-DSS, or payment card industry data security standard program, criminals are still finding ways to steal credentials and match them with account numbers stored on web sites without adequate levels of security.

Once criminals find a match, they typically attempt to use a compromised account to order goods online, ship them to an address other than that of the legitimate cardholder, then sell the stolen goods. One way merchants fend off such attacks, Conroy says, is with an account takeover-prevention tool from ID Analytics, which compiles data in its ID Network from consumer payment accounts across online merchants, wireless phone carrier networks, and financial services organizations, such as providers of automobile loans and payday loan companies. The data include such information as consumer behavior patterns that, for example, show the likelihood of a legitimate cardholder requesting an additional cardholder to be authorized on her account and requesting to have a new payment card shipped to a different address than the address the account holder has on file.

If a criminal with stolen credentials takes such an approach to get a credit card, the ID Score—Account Takeover application would give it a high-risk score, blocking the transaction unless the bank or retailer issuing the card could first confirm the applicant’s legitimacy.

ID Analytics recently introduced its second version of ID Score—Account Takeover, which has been made more flexible to enable retailers and financial companies to score any suspicious patterns of account activity, says Garient Evans, director of identity risk solutions at ID Analytics.

The cost to use ID Analytics applications, which the vendor hosts on the Internet, run about 25 cents or less per transaction, depending on volume, Evans says.




Aite Group, consumer data, e-commerce technology, e-payments and security, Garient Evans, ID Analytics, Julie Conroy, online fraud, passwords, PCI