Following what has been the biggest jolt for digitisation as brands faced a dramatic shift online last year, it is clear that the acceleration of ecommerce adoption sees no signs of stopping.
In Australia, the ecommerce revenue is projected to reach over $38.7 billion in 2021, with 19.4 million of us trading bricks and mortar stores for online shopping.
Along with current ecommerce boom comes the deluge of opportunistic bad actors and as more consumers move into the digital realm, many merchants are struggling with two dilemmas – how to provide engaging ecommerce options without exposing themselves to attack, and how to invest in solid fraud prevention tools that won’t add unnecessary bulk or friction, as this could lead to undesirable churn or cart abandonment.
The list of threats that retailers face online is constantly evolving and a common thread of recent attacks is the deployment and execution of armies of automated bots.
Bot attacks on retailers can take multiple forms. Traditionally, armies of bots buy up all the inventory for in-demand items – from concert tickets to Air Jordans – for later resale at a markup. However, we are seeing this trick become equally effective for hot-ticket gift items. These retail bots scan global websites the exact moment an item goes on sale, alerting their owners so they can beat the crowd. Some automatically buy the product, faster than any human possibly can.
Many bot attacks use identity as their vector, meaning they break in through the login box by impersonating legitimate users. Credential stuffing attacks, where hackers exploit stolen login information, have become more widespread in recent years because people tend to reuse passwords, and billions of these stolen credentials are currently circulating on the dark web.
Ecommerce retailers are at particular risk of these attacks because while previously fraudsters had to get stolen merchandise mailed to them (increasing the likelihood that the transaction would be stopped or they would be caught), the popularity of ‘Click and Collect’ means that they can now can order goods and pick them up before anyone catches on.
So how can retailers win the battle against an army of bots?
Fortunately, there are effective methods to deter bots without creating unnecessary friction for legitimate users. Since most ecommerce fraud takes the form of broken authentication attacks, where fraudsters impersonate legitimate users, the fixes all relate to being able to more accurately verify user identities.
Multi-factor authentication (MFA) demands that users prove they are who they claim to be by providing an additional form of verification beyond the classic username-password combination. This is the single most reliable defence against identity or authentication-based attacks, and common MFA methods include one-time codes sent to a user’s email address, and biometric scans, such as fingerprints.
Despite this, adoption among retailers has slowed, partly due to concern that MFA will introduce too much friction and lead to cart abandonment. But the reality is that through evolution, today’s MFA standards are becoming more seamless and secure.
With customer friction becoming a bigger problem, there’s no reason to challenge every loyal customer to prove their identity every time they make a purchase. Instead, retailers need step-up or adaptive MFA, which requests additional credentials only in the event of suspicious or high-risk behaviour. For example, you may want to verify a customer’s identity if they log in with a new device or place an order above a certain value.
Retailers need a way to stop these fraudulent transactions from ever taking place – before receiving the call from a customer’s bank asking to reverse charges. In other words, investment in tools that automatically flag suspicious behaviour are critical.
Brute force protectionis one such tool, which prevents bot armies from overwhelming a website or app with login attempts. Enabling brute force protection locks out IP addresses after a certain number of failed login attempts. You may also be familiar with CAPTCHA (and its assortment of bot-catching descendants), which will lock out bots at the account creation stage, by having human users prove they are not robots – and can even trick bots into proving that they are. Lastly, breached password protection protects against credential stuffing attacks by monitoring databases of compromised credentials and alerting users if they need to change their passwords.
It’s important to note that none of these technologies are foolproof, and none are designed to work in isolation. If you really want to defend against attacks, you have to think of security in layers.
From theory to practice
While there’s no single silver bullet to prevent ecommerce fraud, implementing these features together offers superior protection. Bad actors generally seek out the path of least resistance, and when these tools are in place, businesses are no longer seen as a soft target. However, building fraud-preventing tools in-house can be time-consuming for any business, and almost always out of reach for small to medium-sized retailers. For this reason, many will choose to partner with a third-party customer identity and access management (CIAM) provider.
This has been an incredibly challenging year on many fronts, but retailers have risen to the occasion by embracing ecommerce solutions. And as a new shopping year begins, it’s increasingly apparent that this isn’t just a stopgap solution for the pandemic. It’s the new status quo. It’s also clear that sticking with a simple, legacy login solution is no longer an option, and retailers must remember that protecting customers with state-of-the-art identity is for life, beyond pandemic lockdowns.
Richard Marr is general manager for Asia Pacific at Auth0.