In 2012, Account Takeover (one mechanism of conducting Fraud) accounted for $4.9 Billion in consumer and merchant losses, which is a 69% increase from 2011 according to “2013 Identity Fraud Report: Data Breaches Becoming a Treasure Trove for Fraudsters" conducted by Javelin Strategy and Research.
Account Takeover in the most simple of definitions is compromising a users account via stealing their log in credentials. We've seen enormous spikes in Account Takeover primarily stemming from password stealing malware in email attachments, clicking on unknown links in email or while web browsing, and public wi-fi hotspots to name a few.
Commonly when an account has been compromised the Fraudster can access payment information, change email addresses (to redirect notifications), and change shipping addresses which are all unknown changes to the original account holder.
One defense mechanism for any merchant suffering from this problem is capturing Device Identification. The presence of an intelligent Device Identification (also known as Device Fingerprinting or PC Fingerprint) strategy can be one sharp arrow in the quiver of any website. It is quite simple, and remarkably effective as one of many layered fraud prevention tactics. Device Identification is a simply JavaScript snippet, which captures a list of valuable data points about the device a user is accessing your website from. Nothing fancy, the technology has been around for years in various forms, and is offered by veteran providers such as ThreatMetrix and iovation. Likewise, many other fraud prevention suites such as 41st Parameter to Sift Science have pioneered their own innovative solutions used in their broader tool sets. Device Identification can even work with reasonable effectiveness as a standalone tool in limited use cases. Account Takeover is a concern not only for merchants, but for any website with login and notions of a customer account of any sort. The ballooning threat of Account Takeover is either a past, present, or future issue for every business, touching all websites at some point in time. How you prepare for it, detect it, and defend against it makes the difference. There are three primary mechanisms (of many) which a robust Device Identification solution can prevent Account takeover:
1. Provides a platform which to discover suspicious login activity and patterns.
2. Identify anomalies in device configurations such as attempting to conceal or hide geo-location.
3. Correlates device information with account behavior to identify suspicious transactions based on changes in device type, time zone, browser type, etc.
When Device Identification and Account Takeover solutions are properly deployed they can dramatically improve the experience for good customers by eliminating unnecessary security checks. This will help to streamline the transaction process or improve conversion rates (for eCommerce Merchants).
Taking steps to protect pages such as login, checkout, or account navigation pages (if properly deployed in conjunction with proper strategy and management) goes a long way to bolstering defenses against Account Takeover. A simple Device Identification check at such portals often yields telling perspective, piercing proxies, going deeper into exposing malicious users. While device identification is commonly used as a one part of checkout centric fraud checks performed by rules engine based fraud tools (like Kount, Accertify, ReD, or Cybersource), it has broader application across websites to authenticate users.
