Documentation
API ReferenceRecipesChangelogCommunity
Start typing to search…

Account Takeover Prevention

Always verify that the person providing card/account details is the intended recipient.

Account takeover is a common tactic bad actors use to fraudulently redirect disbursements. Fraudsters who steal a recipient's personal information through data breaches, phishing, or impersonation can redirect payouts to cards or accounts they control before the legitimate recipient is aware. For merchants processing insurance claims, earned wage payments, or vendor payouts, a single successful takeover can result in financial loss, network fines, and damaged trust with customers.

Best Practices

The following practices reduce that risk by verifying that the person submitting payment details is who they claim to be.

Address Verification

Use Query Card API with AVS to check against the address collected during the KYC/KYB process to confirm the address on file with the merchant, matches the address on file with the card issuer. To prevent account takeover scenarios, do not allow recipients to add a new billing address at the time of the transaction.

Duplicate Account Check

Use TabaPay's Duplicate Card (Account) Check to detect card cycling, where a bad actor attempts to cycle through multiple cards to find a valid one.

Recipient Name Verification

Use TabaPay's ANI check to verify that the name associated with the recipient's card or account matches the name on file. A mismatch is a strong signal that account details have been substituted and the disbursement should be held for review.

IP Address Validation

Confirm that the IP address from which the recipient is providing the PAN matches addresses previously associated with that individual in your system. Unexpected IP addresses should trigger additional verification steps.

Two-factor Authentication

Require the recipient to log in with a username and password before accessing the payer page or app. For example, a recipient logging into an insurance company portal to provide their debit card details. After collecting PAN, send a text or email (using phone number or email address on file) with an authentication code that the recipient must provide back to the merchant before disbursement is processed.

Updated 16 days ago

Other Resources