Perhaps unsurprisingly, ecommerce has had a bit of a heyday this year. National lockdowns and customer safety concerns arising from the pandemic saw customers trade bricks and mortar stores for online shopping.
To put this into perspective, eMarketer has forecast that UK consumers will spend a whopping £141.33 billion online this year, which is an increase of 34.7 percent over 2019. This means that for the first time, ecommerce will account for more than 30 percent of the UK’s total retail sales. The festive shopping season will drive further online sales, with the analyst firm also predicting online sales of up to £28.51 billion – that’s around £3 in every £10 that holiday shoppers spend – for the UK this year.
However, to quote the Peter Parker principle, ‘with great power comes great responsibility’ – and for retailers trading online this year, that certainly rings true. Thanks to ever more opportunistic bad actors, the current ecommerce boom has led to a stampede of online fraudsters wanting a piece of the action. Against this backdrop, and as more consumers move into the digital realm, many merchants are struggling with two dilemmas – how to provide engaging ecommerce options without exposing themselves to attack, and how to invest in solid fraud prevention tools that won’t add unnecessary bulk or friction, as this could lead to undesirable churn or cart abandonment.
Rise of the machines
The list of threats that retailers face online is constantly evolving, but we are seeing a common thread through customer conversations and our analysis of recent attacks: the deployment and execution of armies of automated bots.
Bot attacks on retailers can take multiple forms. Traditionally, armies of bots buy up all the inventory for in-demand items – from Coldplay tickets to Air Jordans – for later resale at a markup. However, we are seeing this trick become equally effective for hot-ticket gift items. These retail bots scan global websites the exact moment an item goes on sale, alerting their owners so they can beat the crowd. Some automatically buy the product, faster than any human possibly can.
We saw this occur in real time when brand new PlayStation 5 consoles appeared on eBay for hundreds of pounds more than the asking price. Similarly, the Xbox Series X is being sold on the secondary market for £5,000 – more than 1000 percent above its original value – frustrating legitimate customers worldwide. These exorbitant prices on the secondary market have led MPs to call for increased legislation to hamper the resale of goods purchased using automated bots. The obvious risk for retailers here is that customers will come to a website looking for a product, and when it is not in stock, they’ll switch to a competitor.
The increasing role of identity
Many bot attacks use identity as their vector, meaning they break in through the login box by impersonating legitimate users. Credential stuffing attacks, where hackers exploit stolen login information, have become more widespread in recent years because people tend to reuse passwords, and billions of these stolen credentials are currently circulating on the dark web.
Ecommerce retailers are at particular risk of these attacks because while previously fraudsters had to get stolen merchandise mailed to them (increasing the likelihood that the transaction would be stopped or they would be caught), the booming popularity of ‘Click and Collect’ means that they can now can order goods and pick them up before anyone catches on.
So how can retailers win the battle against ecommerce fraud?
Fortunately, there are effective methods to deter bots without creating unnecessary friction for legitimate users. Since most ecommerce fraud takes the form of broken authentication attacks, where fraudsters impersonate legitimate users, the fixes all relate to being able to more accurately verify user identities.
Multi-factor authentication (MFA) demands that users prove they are who they claim to be by providing an additional form of verification beyond the classic username-password combination. This is the single most reliable defense against identity or authentication-based attacks, and common MFA methods include one-time codes sent to a user’s email address, and biometric scans, such as fingerprints.
Despite this, adoption among retailers has slowed, partly due to concern that MFA will introduce too much friction and lead to cart abandonment. But the reality is that through evolution, today’s MFA standards are becoming more seamless and secure.
With customer friction becoming a bigger problem, there’s no reason to challenge every loyal customer to prove their identity every time they make a purchase. Instead, retailers need step-up or adaptive MFA, which requests additional credentials only in the event of suspicious or high-risk behavior. For example, you may want to verify a customer’s identity if they log in with a new device or place an order above a certain value.
Retailers need a way to stop these fraudulent transactions from ever taking place - before receiving the call from a customer’s bank asking to reverse charges. In other words, investment in tools that automatically flag suspicious behavior are critical.
Brute force protection is one such tool, which prevents bot armies from overwhelming a website or app with login attempts. Enabling brute force protection locks out IP addresses after a certain number of failed login attempts. You may also be familiar with CAPTCHA (and its assortment of bot-catching descendants), which will lock out bots at the account creation stage, by having human users prove they are not robots – and can even trick bots into proving that they are. Lastly, breached password protection protects against credential stuffing attacks by monitoring databases of compromised credentials and alerting users if they need to change their passwords.
It’s important to note that none of these technologies are foolproof, and none are designed to work in isolation. Some hackers have learned how to spoof fake IP addresses to mask brute force attacks. CAPTCHA always struggles to stay ahead of sophisticated bots that can mimic human behaviour. And while retailers can force users to change their password in the event of a breach, they can’t change the underlying problem of password reuse. Even MFA, the bedrock of a sensible security strategy, works only if you convince or compel your customers to sign up for it. If you really want to defend against attacks, you have to think of security in layers.
From theory to practice
While there’s no single silver bullet to prevent ecommerce fraud, implementing these features together offers superior protection. Bad actors generally seek out the path of least resistance, and when these tools are in place, businesses are no longer seen as a soft target. However, building fraud-preventing tools in-house can be time-consuming for any business, and almost always out of reach for small to medium-sized retailers. For this reason, many will choose to partner with a third-party customer identity and access management (CIAM) provider.
This has been an incredibly challenging year on many fronts, but retailers have risen to the occasion by embracing ecommerce solutions. And as 2020 ends, it’s increasingly apparent that this isn’t just a stopgap solution for the pandemic. It’s the new status quo. It’s also clear that sticking with a simple, legacy login solution is no longer an option, so while things are definitely busy now, retailers must remember that protecting customers with state-of-the-art identity is for life, not just for Christmas.
Marc Power, Regional Director, UKI & MEA, Auth0