#26 - Why Your ATO Fraud Protection Is Failing

Account Takeover (ATO) fraud isn’t usually the primary threat Fintechs worry about.

Even when they do, the pain is less about financial losses and more about operational overhead, customer experience, and brand reputation.

Exactly for this reason, I see many Fintechs opting to utilize the ATO solution provided by one of their existing fraud vendors.

On surface level, this seems like a good approach:

It’s a provider you already trust, there are little-to-no integration costs, and you don’t have a new vendor relationship to manage.

And yet, many times what I hear from clients is that they are disappointed with the results, which seem to be substandard to other products from the same vendor.

This comes as no surprise, but the reason for it is quite intricate:

While Identity Fraud and Payment Fraud are two distinct threats, the methodology behind assessing their risk is very similar. However, ATO Fraud is quite a different beast.

Today I’d like to explore these differences and why they matter more than they seem.

With this knowledge, you’ll be better equipped to assess and challenge providers that offer ATO protection services.

So grab a coffee and let’s get right into it.

Why detecting Identity Fraud and Payment Fraud is similar

I actually want to start with talking about identity and payment fraud, as it’s easy to think that a vendor that is good at both will be good at ATO as well.

To understand why it’s not the case, we need to examine the first two.

Side note: I will focus on payment fraud that happens on new/guest accounts to better separate it from classic ATO cases in mature accounts.

When assessing fraud risk of a new account or payment, we need to consider two main principles:

The first is that we have very little data, as no history exists.

The second is that from this little data we need to answer these fundamental questions:

Identity fraud: Is this user who they say they are?

Payment fraud: Is this user the owner of the financial instrument they are using?

Consider the second question: when we’re asking if this person is the legitimate instrument owner (e.g., card, bank account, wallet, etc.), we’re actually really asking if they are who they claim they are.

Aside from the rare cases where fraudsters commit payment fraud using their true identities, it’s usually either a stolen one or a fake one.

So in essence, at the base of the two threats lies the same question that we’re trying to answer.

Now, how do we find out if the user is who they say they are?

To rule out synthetic identities, we’ll look for external evidence that the identity is real: it has a credit history, its email is old, it signed up to other services in the past, etc.

To make sure the identity is not stolen, we’ll try and match the online user profile to the identity in question: IP geo needs to match the address, user behavior needs to match demographics, and shipping address needs to make sense, etc.

In short, we try to enrich the account with more data and to match the online user to the “offline” identity.

ATO Fraud detection requires a completely different approach

Now let’s consider ATO. Here are the two fundamental principles we’re facing:

Firstly, we should have quite a lot of historical data on the user.

Secondly, we need to answer this question: is the user the real account owner?

Notice already the major difference between this one and the previous two?

I don’t need to “prove” the user is linked to the identity. I don’t need to do a liveness check each login. All I need to do is show it’s the same user.

And so in ATO we don’t talk about “matching”, we talk about “consistency”. We use the ample historical data we have of the account holder to link it to the current user.

We can do that by showing the user uses the same devices (device ID, same IP, etc.), or we can do that by showing behavioral consistency: from tracking biometrics to purchase pattern consistency.

So if in Identity Fraud we look for:

IP_billing_address_zip = “Match”

In ATO we will look for:

IP_zip_days_consistency > 90

Different heuristics means different features

Now we get to the core of the issue.

For ATO detection to be accurate, we need to look at a whole different set of features and values than in identity/payment fraud.

These features look at past data, and focus less on enriching and linking to external resources. They focus on consistency heuristics, not on matching heuristics.

Developing these features for rules and models means starting almost from scratch when you tackle ATO.

And that’s the thing:

Most vendors who offer ATO detection solutions didn’t invest the required effort. They slap some device ID tracking on top of 2FA flow enablement and call it a day.

But their models? In many cases these are the same models they use for identity/payment fraud. And even if it’s a “custom” ATO model, it is still trained on identity/payment fraud features.

What’s the wonder then when you see poor performance?

Asking the right questions

The question remains: how do we assess if a vendor can reliably help us with our ATO detection problem?

You can take a couple of approaches here:

The first is to understand which features are used in the ATO detection model. Such a review, even if verbal only, can quickly expose if the vendor is looking seriously on consistency metrics, or are they “locked” in a matching mindset.

If the vendor offers a rule engine as well, reviewing what rules can be implemented around consistency–or even which templates exist–can tell you plenty as well.

Another “tell” that the vendor is doing the right thing, is that POC requirements will look different than POCs focused on identity/payment fraud.

Specifically, you should expect the dataset requirements to be tailored for finding (in)consistencies. For example, getting the full historical data of the accounts in question.

Alternatively, I would suggest challenging vendors that focus on device fingerprinting as the main pillar of their solution.

Device fingerprinting is indeed important for ATO detection, but on its own will not yield satisfactory results.

Legitimate users tend to switch devices as well and you’ll end up choosing between high false positive rates or introducing more unnecessary friction.

How have you seen ATO solutions fail? Hit the reply button to share angles I’ve neglected to mention.

In the meantime, that’s all for this week.

See you next Saturday.

P.S. If you feel like you're running out of time and need some expert advice with getting your fraud strategy on track, here's how I can help you:

Free Discovery Call - Unsure where to start or have a specific need? Schedule a 15-min call with me to assess if and how I can be of value.
​Schedule a Discovery Call Now »​

Consultation Call - Need expert advice on fraud? Meet with me for a 1-hour consultation call to gain the clarity you need. Guaranteed.
​Book a Consultation Call Now »​

Fraud Strategy Action Plan - Is your Fintech struggling with balancing fraud prevention and growth? Are you thinking about adding new fraud vendors or even offering your own fraud product? Sign up for this 2-week program to get your tailored, high-ROI fraud strategy action plan so that you know exactly what to do next. ​
Sign-up Now »

Enjoyed this and want to read more? Sign up to my newsletter to get fresh, practical insights weekly!