Dealing With Account Takeovers
For most businesses that take payments online, the primary risk comes from fraudsters creating accounts and then using them for no good. What about cases where a good user creates an account, and someone else later gains access to it and uses it for fraud? This is referred to as an account takeover.
Be Careful With Stored Payment Methods
The first and easiest way to limit the damage done by someone accessing an account that isn’t theirs is to limit how stored payment methods can be used. Suppose that I shop on DiscountSocksAndThings.com, and the first time I place an order I’m asked if I’d like to save my Visa ending in 1234 for future use. The next time I place an order, all I have to do is select that stored payment method, and I’m not asked for the card number or verification code. Months later, a fraudster guesses my password is “Password1234” and gets into my account. Without any safeguards, they can use my credit card to ship socks and things wherever they like!
One way to avoid getting stung in this scenario is to check whether the person accessing the account now is likely to be the person who originally created it. You can, for example, associate a cookie with the stored payment method, and if that cookie isn’t present when the payment method is used, ask the user to re-enter the card number (or just the verification code). Another method, if you ship physical goods, is to ask the user to re-enter information if their shipping address isn’t the one used when the payment method was last stored.
Keep Informational Limitations in Mind
Even if stored payment methods are inaccessible to fraudsters, an established account can still act as effective cover for bad activity if your fraud detection solutions are poorly tuned. If you use rules to determine whether orders are processed, don’t make account age such an overwhelming positive factor that someone buying ten laptops and shipping them a thousand miles on a card you’ve never seen before can get their orders through unchecked.