A few years ago, when it started to become clear that account takeover (ATO) was becoming a threat, it was understandable that it was seen as a fraud problem. After all, the identity theft inherent in taking over a user’s account does, on some level, amount to fraud. But as the ATO problem has grown, impacting nearly every online business, it’s become clear that we need a mindset shift in how we think about and classify the problem: from fraud to security.
As with any emerging threat, classifying it is really a question of who’s responsible—and who’s being protected.
A fraud-focused mindset prioritizes a company’s potential losses, consequences—and even liability. Of course, these are considerable: ATO has a clear effect on the bottom line and carries real reputational risk, too. But calling it account takeover fraud misses the point, because although ATO adds up to a major company problem, at its core, it’s an account and user issue. That makes it a security challenge to protect those accounts and the users who hold them.
That’s why treating ATO as a fraud issue isn’t cutting it. Fundamentally, thinking about ATO in terms of fraud is selfish—it protects us, the company, rather than you, the user. So, if an account is compromised but not yet acting, companies that aren’t actually user-centric won’t much care. And in fact, their existing fraud tools leave them blind to looming issues, but it’s a blind spot they’re willing to accept.
But here’s the thing: Those compromised accounts probably won’t stay dormant forever. In fact, we’ve seen that compromised accounts start to act as soon as a week later—but sometimes as long as a few months. For a company, waiting to act until the malicious actor does puts not only the user but also the company at risk. It’s hopelessly reactive.
So while the argument about whether ATO is a fraud or security problem might seem like semantics, it has very real consequences. Here’s why the classification of ATO matters so much:
Here’s the rub: If you treat ATO as a fraud problem, you’ll have a fraud problem, because you aren’t attuned to the warning signals before an attack starts. That’s why any business focused on the user experience should care about the growing threat of account takeovers. And any business that cares about ATO has to treat it like the security threat it is in order to actually prevent it.