The Account Takeover Grinch that Stole Christmas

This festive season is an exciting time for consumers, and offers huge profit potential for retailers. Holiday retail sales for 2018 are set to surge by 4.1% over the same period last year. In addition, e-commerce sales are predicted to climb by an impressive 16.2%! Merchants that capitalize on this sales opportunity could enjoy a large bonus.

Unfortunately, cyber criminals can take advantage of the holidays, too—and much like the Grinch Who Stole Christmas, threaten to ruin the season for unsuspecting victims. After all, attackers who gain access to consumers’ accounts can do more than just make fraudulent purchases; they can also steal confidential information for more dedicated attacks, and even use stolen account credentials to access financial and social accounts. Retailers should preemptively plan to protect themselves and their customers, review their cyber security strategy, and strengthen defenses to eliminate the risk of account takeover during the holidays.

Account takeover: a rising threat

When the Grinch slunk off to steal Christmas, he dressed himself like Santa and his dog like Rudolph. Account takeovers work in a similar way, as hackers take unauthorized control of a legitimate user’s account. Hackers can orchestrate account takeovers in a couple of ways: harvesting credentials from third-party data breaches, carrying out phishing campaigns that deceive victims into surrendering their account details, and using keyloggers to steal account credentials. E-commerce platforms are particularly attractive targets, as they contain valuable financial and personal information, along with access to expensive goods. Once a hacker gains access to an e-commerce account, and the user’s identity, they can rack up all kinds of fraudulent charges without arousing suspicion.

This problem is rising rapidly. Account takeovers in the US tripled in 2017, with an 120% increase in total losses as a result of account takeover compared to 2017. Worst of all, US account takeovers increased by another 35% through the first two quarters of 2018. This is a worrying trend for the 2018 holiday season; chances are, the hackers will be out to steal Christmas yet again.

Account takeover hurts everyone

US consumers pay $290 on average to resolve a takeover, and spend around 16 hours working through the details of their breached accounts. While this is undoubtedly stressful for victims, retailers also stand to lose a lot in both the short and long term.

First of all, retailers often have to cover the fraudulent charges. By one estimate, the total cost of managing online fraud is 8% of the retailer’s annual revenue. And even once resolved for the customer, breaches are likely to erode consumer trust in the e-commerce platform, leading to long-term reputational damage. The consumer may choose to switch to the competition or even air their discontent online. Ultimately, when consumers suffer, so do retailers.

Account protection: take Christmas back from the Grinch

Proactive retailers can do a lot to prevent attacks and minimize damage to all involved, including:

• Using multi-factor authentication: A leading cause of account takeover for customers is using the same login credentials across multiple accounts. Asking customers to use multi-factor authentication (by supplying a code sent through text message, for example) ensures that only authorized users are granted access. This drastically reduces instances of fraud without compromising on user experience for shoppers.

• Tackling red flags with adaptive access: Account takeovers look legitimate until you start looking for the tell-tale clues. Hackers will often change account information, delivery locations, IP addresses, or order frequency—all things that retailers can watch for to prevent fraudulent orders. Retailers should also implement adaptive access policies that deny access, or prompt the user for another authentication factor, if an account login or order request comes from an unknown or improbable device, network, location, or IP address.

• Erring on the side of caution: Given a choice, consumers would rather confirm that charges are legitimate than become the victim of fraud. During the busy holiday season it’s tempting to process orders as quickly as possible. A better strategy? Question all suspicious activity and reach out to customers directly if anomalies occur.

Hackers are particularly greedy during the holiday season! Get ahead of their attacks by implementing the right security practices, and end the year on a merry note for all—except the Grinch.

Okta makes account protection easy for retailers and their customers thanks to identity and access management. If you want to protect your bottom line this holiday season and beyond, contact our team.