For most businesses with an online presence, the primary risk comes from fraudsters creating accounts and then using them for no good. What about cases where a legitimate user creates an account, and someone else later gains access to it and uses it for fraud? This is referred to as an account takeover.
Be Careful With Stored Payment Methods
The first and easiest way to limit the damage done by someone accessing an account that isn’t theirs is to limit how stored payment methods can be used. Suppose that I shop on DiscountSocksAndThings.com, and the first time I place an order I’m asked if I’d like to save my Visa ending in 1234 for future use. The next time I place an order, all I have to do is select that stored payment method, and I may not be asked for the card number or verification code. Months later, a fraudster guesses my password is “Password1234” and gets into my account. Without any safeguards, they can use my credit card to ship socks and things wherever they want.
One way to prevent account takeovers is to check whether the person accessing the account now is likely to be the person who originally created it. You can, for example, associate a cookie with the stored payment method, and if that cookie isn’t present when the payment method is used, ask the user to re-enter the card number (or just the verification code). Another method, if you ship physical goods, is to ask the user to re-enter payment information if their shipping address isn’t the one used when the payment method was last stored.
Keep Informational Limitations in Mind
Even if stored payment methods are inaccessible to fraudsters, an established account can still act as effective cover for fraudulent activity if your fraud detection solutions are poorly tuned. If you use rules to determine whether orders are processed, don’t make account age such an overwhelming positive factor that someone buying ten laptops and shipping them a thousand miles on a card you’ve never seen before can get their orders through unchecked. With frequent data breaches and poor password hygiene, no account is immune to account takeover. As a matter of fact, aged accounts are often the most challenging when it comes to ATO; if the takeover is not detected and remediated in a timely manner, then the only solution left is to disable the account.