Sift Logo Several blue dots forming a sphere to the left of the word Sift in italic font.
  • Products

    Digital Trust & Safety Suite

    Fight fraud without sacrificing growth

    Learn more →

    Passwordless
    Authentication

    Account
    Defense

    Content
    Integrity

    Payment
    Protection

    Dispute
    Management

    Sift
    Connect

    PSD2
    Solution

    New Releases & Enhancements

  • Partners

    Sift Partner
    Program

    Join the leader in Digital Trust & Safety

    Learn more →

    Commerce platform partners


  • Industries

    One solution, many applications

    Learn how Sift can work for your industry

    Learn more →

    Featured industries


    Fintech

    Retail

    Food & Beverage

  • Customers

    See case studies by industry

    Sift works across every use case and region

    Learn more →

    Featured customers


  • Resources

    Explore our resources

    Access trends, guides, and insights from Sift

    Learn more →

    Blog

    Ebooks

    One Pagers

    Demos

    Videos

    Webinars

    Infographics

    Podcasts

    Trust & Safety University

  • Fraud Center
  • Company

    Why leaders choose Sift

    Technology, community, and partnership

    Learn more →

    Our mission: Help everyone trust the internet


    About

    Careers

    News & Press

Request a demo
Products
  • Digital Trust & Safety Suite
  • Passwordless Authentication
  • Account Defense
  • Content Integrity
  • Payment Protection
  • Dispute Management
  • Sift Connect
  • PSD2 Solution
  • New Releases & Enchancements
Why Sift
  • Salesforce
  • Magento
  • Shopify
Industries
  • Fintech
  • Retail
  • Food & Beverage
Customers
Resources
  • Blog
  • Ebooks
  • One Pagers
  • Demos
  • Videos
  • Webinars
  • Infographics
  • Podcasts
  • Trust and Safety University
Fraud Center
About
  • Search Careers
  • Our Company
  • Contact Us
  • Engineering Blog
Request a DemoSign In
  • Blog Home
  • Fraud
< prev / next >
Share this article on LinkedIn
Tweet this article
Share this article on Facebook
SOCIALICON
Share this article via email

How to Respond to an ATO Attack

By Kevin Lee  / 

30 Mar 2017

So, it finally happened. One of your best customers just filed a chargeback. It wasn’t because you failed to deliver your product – you did! Actually, you fulfilled it via overnight shipping, just like your customer requested. Could it be that your buyer’s account has been taken over, and someone has placed an order on their behalf?

respond to an ATO attack

Although it may sting to know one of your customers’ accounts was compromised, you’re not alone. Based on Sift Science’s 2017 Fraud-Fighting Trends survey, 48% of online businesses saw an increase in account takeover (ATO) last year – and this growing threat doesn’t show any signs of slowing down.

Here are some steps you can take to deal with account takeover, both from an account-specific and holistic perspective:

What to do about that specific account

Determine whether this is truly ATO, or friendly fraud. You may assume it’s ATO, because it comes from one of your best customers – but they could just be experiencing buyers’ remorse. Although ATO is on the rise, so is friendly fraud. If it is friendly fraud, you have a better chance at winning the chargeback, especially for physical items that you delivered to the regular address on file. Therefore, make sure to save all correspondence and evidence of the transaction.

If it does turn out to be ATO, unfortunately there’s a good chance you’re going to lose this particular chargeback and be out the product that you shipped in good faith. It sucks, but treat it like an investment and an opportunity to learn, so you can prevent future instances of ATO on your platform.

Lock down the customer’s account. Once you’ve determined it’s truly ATO, lock down the account, preventing new orders from coming in until the password has been reset. Log the customer out of all open browser or app sessions – or enable view-only mode, if available.

Contact the account holder and ask them to change their password. The customer is probably as surprised about the ATO as you are, so walk them through it and use the experience as an opportunity to educate them about securing their account. If you can, have the customer enable two-factor authentication. That makes it a bit tougher for fraudsters to compromise the account again.

Put the account on a watchlist. Even after you’ve taken the steps above, it’s a good idea to watch the account and monitor their next few orders. If the customer has malware on their machine, the fraudster is going to learn any new password that the customer inputs. Suggest that your customer run an antivirus software program to get rid of malware. There are many free antivirus services out there.

Do a deep dive into the account. Investigate everything – timestamps, device, shipping address, IP, cookies, proxies, events, browser info, keylogging – to find any clues or suspicious signals that the fraudster left behind that can be used to detect other similar accounts on your platform. Take down and/or contact those customers to warn them that their account may have been compromised.

How to prevent future attacks

Dealing with the compromised account is important, but it’s just a first step. To prevent future ATO, it’s a good idea to take holistic, system-wide measures, too.

Update your models and rules with the known bad signals you’ve found. Remember that models (especially rules-based models) degrade over time, so it’s important to run periodic quality audits to make sure they’re continuing to catch bad users while not impacting too many good customers.

Educate your users. Good security practices, like using a password manager, can help protect against ATO. Publish articles in your Help Center educating your customers about account security, to help reinforce that message.

Make sure you’re tracking the right data. If your risk system is unable to monitor things like IP, cookie, device ID, session history, event velocity, and keylogging, I recommend working with your engineering team to get this prioritized. This set of data is not only useful for risk reasons, but equally as beneficial to the Marketing and Growth teams. After all, the more you understand your customers’ behavior, the better you will be at upselling them on additional products, increasing conversions … and keeping them (and your company) safe.

Re-evaluate your tools. Consider adopting third-party tools that can analyze user behavior and proactively flag anomalies.

Want to learn more about keeping your users safe from ATO? Download our free ebook, Complete Guide to Preventing ATO. Or check out a replay of our recent ATO webinar!

Related

account takeoverATO

Kevin Lee

Kevin Lee is Vice President of Digital Trust & Safety at Sift. Building high-performing teams and systems to combat malicious behavior are what drive him. Prior to Sift, Kevin worked as a manager at Facebook, Square, and Google in various risk, spam, and trust and safety roles.

  • < prev
  • Blog Home
  • next >
Company
  • About Us
  • Careers
  • Contact Us
  • News & Press
  • Partner with us
  • Blog
Support
  • Help Center
  • Contact Support
  • System Status
  • Trust & Safety University
  • Fraud Management
Developers
  • Overview
  • APIs
  • Client Libraries
  • Integration Guides
  • Tutorials
  • Engineering Blog
Social

Don't miss a thing

Our newsletter delivers industry trends, insights, and more.

You're on the list.

You can unsubscribe at any time. Please see our Website Privacy Notice.

If you are using a screen reader and are having problems using this website, please email support@sift.com for assistance.

© 2022 Sift All Rights Reserved Privacy & Terms

Your information will be used to contact you about our service and subscribe you to our direct marketing communications. You can, of course, unsubscribe at any time. Please see our Website Privacy Notice.