Why Customer Journey Intelligence is Key to Detecting Account Takeovers

Account takeover (ATO) fraud has become one of the most prevalent forms of digital crime, with fraudsters using stolen credentials, social engineering, and bot-assisted attacks to gain unauthorized access to accounts. Traditional fraud detection often focuses on specific high-risk points, like login or payment. Still, this approach overlooks vulnerabilities that exist across the entire customer journey, such as at a password reset, or an exposed API endpoint. This blog delves into why customer journey intelligence is essential for detecting account takeovers and how Darwinium’s solution leverages this approach to provide comprehensive account security.

Understanding Account Takeover Fraud and Its Impact

What is Account Takeover Fraud?

ATO occurs when a fraudster gains unauthorized access to a user’s account, typically through stolen credentials, phishing attacks, or brute-force methods. Once inside, they can steal personal data, make fraudulent purchases, or exploit the account in various ways.

The Consequences of ATO for Businesses and Users

A successful account takeover damages the trust between a business and its customers. For users, ATO can lead to financial loss, identity theft, and privacy invasion. For businesses, it results in financial liability, brand damage, and potential regulatory repercussions.

Traditional ATO Detection Limitations

Traditional ATO detection relies on identifying anomalies at specific touchpoints, like login attempts. However, today’s fraudsters are increasingly sophisticated, bypassing many protections in place. They are using proxies and emulators to mimic trusted users, bypassing device fingerprinting techniques, and using subtle, human-like behaviors that evade traditional bot detection tools. They are also socially engineering customers to divulge one-time passcodes or login details to authenticate with valid credentials. This is making it increasingly challenging for businesses to recognize trusted returning users and isolate potentially risky logins reliably. Customer journey intelligence offers a more holistic approach by identifying unusual patterns throughout the entire interaction timeline identifying anomalous behaviors that are inconsistent with the trusted user.

The Value of Customer Journey Intelligence in Preventing ATO

What is Customer Journey Intelligence?

Customer journey intelligence involves analyzing user behaviors, patterns, and interactions across every stage of the customer journey, from browsing and shopping to logging in and making payments. By building a continuous profile of user activity, this intelligence identifies inconsistencies that could indicate an account takeover attempt.

Detecting Suspicious Behavior Patterns

Unlike static, point-in-time assessments, journey intelligence can detect patterns that develop gradually, like unusual browsing behaviors or changes in cart activity before an attempted checkout, or changes to address or password details that might indicate fraudulent behavior. These deviations from a user’s typical journey can signal a potential ATO attempt, allowing proactive intervention.

Creating Context-Rich Risk Assessments

Journey intelligence adds context to each interaction, analyzing factors like device consistency, session behavior, location changes, payment velocity or amount anomalies and unusual account updates. This broader context enables more accurate risk assessments, helping to differentiate between legitimate activity and fraud.

How Darwinium Uses Customer Journey Intelligence to Prevent ATO

Comprehensive Behavioral Intelligence Across Every Interaction

Darwinium collects data and intelligence at each stage of the customer journey — from browsing behaviors and account creation to profile updates and payments. By continuously analyzing these behaviors, Darwinium can identify account takeover attempts early in the process, often before high-risk actions like payments are initiated. This approach can also help build accurate account takeover models to better identify similar risky behaviors proactively rather than reactively.

Digital Signatures and Behavioral Biometrics

Darwinium’s digital signatures consolidate device, location, identity and behavioral data to create unique user identity graphs, identifying subtle shifts that indicate unauthorized access. Additionally, native behavioral biometrics data (like keystroke dynamics and navigation patterns) provide another layer of intelligence, making it harder for fraudsters to impersonate legitimate users successfully.

Real-Time Decisioning at the Edge

Darwinium provides the option to integrate at the edge, via your Content Delivery Network (CDN) to expedite protection across multiple touchpoints in the customer journey, without heavy reliance on engineering resource. This approach allows businesses to react to suspicious activities as they happen, covering new touchpoints in the customer journey instantly, and blocking potential ATO attempts before they escalate.

Enhanced Detection of Social Engineering Attempts

Many ATO incidents involve social engineering, where fraudsters manipulate users into sharing sensitive information. Darwinium’s journey intelligence helps detects behaviors indicative of social engineering, such as the presence ofnew remote access software, unusual journey navigation pauses or hesitations, live call detection, or out-of-character actions relating to payments, helping prevent social engineering attempts before they lead to account compromise.

Key Benefits of Using Customer Journey Intelligence for ATO Prevention

• Early Detection of ATO Attempts
  By identifying suspicious patterns across the entire journey, customer journey intelligence catches fraud early, often before fraudsters can make changes or execute high-risk transactions.
• Reduced False Positives for a Better User Experience
  Traditional ATO solutions can disrupt legitimate users with excessive security challenges. Customer journey intelligence adds context, reducing false positives and allowing legitimate users to experience a smoother, uninterrupted journey.
• Increased Agility to Evolving Fraud Tactics
  Fraud tactics evolve quickly, with new methods constantly emerging. Customer journey intelligence enables businesses to adapt to these tactics by focusing on behavior patterns rather than static, point-in-time data, making it more challenging for fraudsters to succeed.

Real-World Examples of Customer Journey Intelligence in Action

Darwinium Case Study: Fintech uses Darwinium to Build Trust at Login without Imposing Unnecessary Friction

Challenges Faced

A Brazilian Fintech, specializing in business banking was struggling the verify the authenticity of its online users.

The existing device fingerprinting solution had poor persistency, resulting in excess challenges at login via a one-time passcode (OTP).

This increased friction for good customers and required significant operational resource and budget.

The fintech wanted a better way to improve UX while keeping accounts secure, reserving OTPs for genuinely high-risk interactions. Several other fraud solutions had been discounted due to the high cost of covering multiple touchpoints in the customer journey.

How Customer Journey Intelligence Helped

The fintech recognized the benefits Darwinium could delivery by deploying via a Content Delivery Network (CDN)and decided to install AWS CloudFront. The Darwinium professional services team supported this implementation as part of the wider deployment.

Deploying at the edge allowed the fintech to collect hundreds of pieces of data relating to the user’s network connection, device, location, transactions, and journey analytics to establish a baseline of normal, trusted behavior. This benchmark was used to verify all future signup and login events, which established trusted versus riskier groups.

Outcome

• Darwinium Digital Signatures for devices and behavioral biometrics increased returning user recognition to 97% at login.
• 94% of returning users received a positive trust score using Darwinium models, reducing friction across the customer journey.

Example Usecase 1: Detecting Suspicious Login Attempts on an eCommerce Platform

An eCommerce platform faced a growing issue with account takeover attempts. Fraudsters were using stolen credentials obtained through data breaches and dark web marketplaces to access accounts. These takeovers often resulted in unauthorized purchases, exploiting saved payment information and loyalty points within user accounts.

Business Challenges

Traditional login security measures, like rate-limiting and IP-based detection, could only detect brute-force attacks and logins from flagged IP addresses. However, fraudsters began employing bots and proxies to blend in with legitimate traffic and simulate typical browsing behaviors, making it difficult to detect suspicious login attempts.

How Darwinium Customer Journey Intelligence Can Help

Darwinium’s customer journey intelligence can provide the platform with a deeper, continuous view of user interactions across each account session. The solution analyzes patterns from initial page load through navigation to checkout, identifying subtle anomalies in behavior that suggest a potential takeover attempt.

Key behaviors flagged include:

• Erratic Browsing Patterns: Legitimate users typically navigate a site systematically, moving through product categories and spending consistent time on product pages. However, flagged sessions exhibit fast, random page clicks and hover briefly over multiple high-value items, indicating unfamiliarity or automated browsing.
• Unusual Cart Activity: A session including repeated actions of adding and removing high-value items from the cart in quick succession, can deviate from normal user behavior. This suggests either an automated script or a fraudster exploring account capabilities before initiating a high-value purchase.
• Location and Device Anomalies: A login attempt originated from a location and device type unfamiliar to the user’s profile. Combined with the unusual browsing and cart behavior, this raised a high-risk alert.

Usecase Outcome

Darwinium flags the session as potentially fraudulent based on journey-wide inconsistencies. The platform prompted additional verification, asking the user to confirm their identity with multi-factor authentication. The legitimate account holder did not complete the verification, confirming the suspicious login as an attempted account takeover. By detecting this behavior early, Darwinium prevented unauthorized purchases and preserved the security of the customer’s account.

Example use case 2: Identifying Social Engineering Attempts on a Financial Platform

A financial services provider experienced frequent ATO attempts through social engineering, where fraudsters tricked users into revealing sensitive account information. In these incidents, fraudsters used phishing emails and fake customer support calls to deceive users into sharing login credentials and one-time passcodes, allowing them to take over accounts and initiate fraudulent transfers.

Business Challenges

Traditional detection solutions were unable to flag social engineering attempts because they relied on device-based and location-based data points. Since these attacks involved the legitimate user logging in with their own credentials under duress, conventional security measures did not flag the sessions as suspicious. Furthermore, users were often unaware they had been compromised, making detection even more challenging.

How Customer Journey Intelligence Helps

Darwinium’s customer journey intelligence solution allows the platform to monitor user behavior in real-time, identifying social engineering indicators that weren’t tied to specific account credentials or devices. Key behavior anomalies that Darwiniumflaggs included:

• Unusual Pauses and Hesitations: The user showed extended pauses between actions, such as logging in and navigating to high-risk account sections. These delays are commonly associated with social engineering scenarios, where fraudsters coach users over the phone or in real time through a chat to follow specific steps.
• Anomalous Payment Behaviors: The user initiated high-value transfers to a new beneficiary account, which was flagged as suspicious given their typical account usage history. Darwinium’s journey intelligence connected the dots between the user’s hesitations and this high-risk transfer behavior, raising suspicion of coercion or manipulation.
• Login Anomalies from Known Social Engineering Patterns: Previous social engineering cases within the platform showed patterns like multiple login attempts and password reset requests. Darwinium flagged this user session for similar behaviors, recognizing the likelihood of a socially engineered ATO.

Use Case Outcome

By detecting these journey-wide behavioral cues, Darwinium can flag the transaction as high-risk and prevent the transfer from processing automatically. The platform notified the user about potential suspicious activity and provided guidance on securing their account. The user confirmed they were coerced into the transaction and regained control of their account. This proactive approach not only saved the user from financial loss but also helped the platform mitigate potential liability and enhance customer trust.

Summary

Account takeover fraud requires a more comprehensive approach than traditional point-in-time security measures. Customer journey intelligence provides businesses with real-time, contextual insights across the entire customer journey, allowing them to detect and prevent ATO attempts before they result in financial or reputational damage. By leveraging Darwinium’s customer journey intelligence, businesses can protect their accounts, maintain user trust, and stay ahead of evolving fraud tactics.

Download the full white paper on Account Security - Continuous Protection for the Digital Customer Journey