Account takeover is a growing threat faced by online businesses across industries — from social networks and e-commerce merchants to cloud-delivered models and professional services. But not every company even realizes account takeover is a looming threat.
Besides counting your company lucky for not making headlines, how do you measure whether account takeover is a problem for your business? Account takeover can be harder to quantify than payment fraud. When measuring the total cost of account takeover, there are a number of individual costs to consider.
Chargebacks are one problem. This can include product cost, chargeback fees, the dollar amount of the transaction and the chance that it puts your company over the excessive chargeback threshold, which could result in financial penalties?
Another challenge is reduced customer engagement. That can mean fewer clicks, fewer purchases, lower average dollar amount, less time spent on the site or app. There can also be a reduction in customer lifetime value. If the customer churns, you lose all future sales.
Customer acquisition costs also go up because you need to spend more money to acquire more customers.
There are additional costs to brand and for cleanup. Negative PR is tough to measure, but you man consider social media sentiment and article mentions.
In terms of brand, Yahoo lost approximately $350 million in the Verizon deal because of its data breaches. Other costs can come from legal fees, compliance fines or additional audits. There can be additional costs for operations, engineering and other staffing as salary, equipment, and overhead costs add up. There's also the cost of external tools used to fight account takeover.
How do you put a price on lost user engagement with your site or app? Start by collecting active inputs. This bucket encompasses every complaint and reported account takeover
You can find this information by asking customer support how many tickets, inbound phone calls, chats, and emails they’ve received that mention account takeover. You can also track traffic to any support articles related to account takeover. If you aren’t formally tracking this information, it’s a good idea to start now.
But not every victim proactively reports what happens to them. Some simply stop using a website or service, while others close their account altogether. One way to gauge passive account takeover damage is to analyze all of the users who have deactivated their account, or haven’t engaged with your site for a certain amount of time. Do a post-mortem on a sample of each one (depending on volume) to determine whether they have suffered account takeover.
Once you have gathered both active and passive inputs, you can compare the lifetime value of an affected user to that of a normal user. For an e-commerce site, this value may be measured in terms of money spent. For a social site, it could be how often they visited or engaged on the platform.
Compare the delta between the account takeover affected user and the normal user. That will give you a sense of how account takeover is affecting your business from a monetary perspective.