Stop Calling It Account Takeover “Fraud”

A few years ago, when it started to become clear that account takeover (ATO) was becoming a threat, it was understandable that it was seen as a fraud problem. After all, the identity theft inherent in taking over a user’s account does, on some level, amount to fraud. But as the ATO problem has grown, impacting nearly every online business, it’s become clear that we need a mindset shift in how we think about and classify the problem: from fraud to security.

As with any emerging threat, classifying it is really a question of who’s responsible—and who’s being protected.

A fraud-focused mindset prioritizes a company’s potential losses, consequences—and even liability. Of course, these are considerable: ATO has a clear effect on the bottom line and carries real reputational risk, too. But calling it account takeover fraud misses the point, because although ATO adds up to a major company problem, at its core, it’s an account and user issue. That makes it a security challenge to protect those accounts and the users who hold them.

That’s why treating ATO as a fraud issue isn’t cutting it. Fundamentally, thinking about ATO in terms of fraud is selfish—it protects us, the company, rather than you, the user. So, if an account is compromised but not yet acting, companies that aren’t actually user-centric won’t much care. And in fact, their existing fraud tools leave them blind to looming issues, but it’s a blind spot they’re willing to accept.

But here’s the thing: Those compromised accounts probably won’t stay dormant forever. In fact, we’ve seen that compromised accounts start to act as soon as a week later—but sometimes as long as a few months. For a company, waiting to act until the malicious actor does puts not only the user but also the company at risk. It’s hopelessly reactive.

So while the argument about whether ATO is a fraud or security problem might seem like semantics, it has very real consequences. Here’s why the classification of ATO matters so much:

  • Fraud overemphasizes transactional activity rather than understanding the user. Fraud, for example, might have you focus on triggers like checkout—an examination of the event, rather than the user itself. While checkout (or, on the other end, login) is important, it’s only a part of the overall user activity. And it’s also often too late, because it’s often not clear what attackers will do once they’ve breached an account. That’s why security-focused solutions leverage user behavioral analytics, acknowledging that understanding the user is the only way to really protect them. And even more than that, they recognize that to truly address large-scale attacks, it’s essential to treat ATO prevention as a collaborative effort between security/engineering, fraud/risk, and support
  • Today’s approach to fraud solutions is overly manual. Typically, when potentially fraudulent activity like an anomalous login is flagged, a security analyst must then follow up to validate it. This is long delayed—which penalizes users—and also too focused on inelegant rules. A manual solution is impractical for any site with millions of users. It can’t possibly protect them from an attack without automation. Besides, ATOs don’t follow typical fraud-like patterns.
  • Fraud treats the user as suspicious. It is users who are harmed by ATO, and users who can self-regulate potentially suspicious activity, or even be triggered appropriately for multi-factor authentication. In an ATO event, users are our allies, not our enemies. They are uniquely positioned to assess activity and validate whether it’s them or not. Yet a fraud tool could never incorporate user feedback into its model, even though this is precisely what makes security so powerful—for individual users and beyond.

Here’s the rub: If you treat ATO as a fraud problem, you’ll have a fraud problem, because you aren’t attuned to the warning signals before an attack starts. That’s why any business focused on the user experience should care about the growing threat of account takeovers. And any business that cares about ATO has to treat it like the security threat it is in order to actually prevent it.