Holiday shopping looks a lot different this year. As a result of the pandemic, shoppers are avoiding brick-and-mortar stores and ordering online, with eCommerce sales up 37% over 2019. Unfortunately, the eCommerce boom has created a similar spike in eCommerce fraud. One study found that in 2020, mid-sized to large merchants experienced 14% more fraudulent transactions per month than the year before.
These dueling forces put retailers in a difficult position: they need to provide eCommerce options to customers without exposing themselves to attack. Retailers can balance these needs by putting strong fraud-prevention tools in place to maximize their eCommerce trade while locking out fraudsters.
Bot-Based Fraud Is Rampant in Ecommerce
Retailers trying to guard against cybersecurity threats must first understand what those threats are. This list is constantly evolving, and in 2020, while there are several types of attacks, most of them use armies of automated bots.
In a 2020 survey from cybersecurity company Kount, 81% of businesses reported that they dealt with malicious bots often or very often, and 25% reported that a malicious bot attack cost their organization over $500,000.
Bot attacks on retailers can take multiple forms. In one variation, armies of bots buy up all the inventory for in-demand items for later resale at a markup. For years, that’s been a popular trick for coveted concert tickets and sneakers, but it’s equally effective for hot-ticket gift items. The risk for retailers is that customers will come to your site looking for a product, and when you don’t have it, they’ll switch to your competitors.
Many bot attacks use identity as their vector, meaning they break in through the login box by impersonating legitimate users. In credential stuffing attacks, hackers take user login credentials that were stolen in one data breach and use them to break into other sites. Credential stuffing attacks have become much more widespread in recent years because people tend to reuse passwords, and billions of these stolen credentials are currently circulating on the dark web.
Ecommerce retailers are at particular risk of these attacks, especially with the booming popularity of “buy online, pick up in store” (BOPIS). In the past, fraudsters had to get stolen merchandise mailed to them, increasing the likelihood that the transaction would be stopped or they would be caught. But with curbside delivery, they can order goods and pick them up before anyone catches on.
Even if bot attacks aren’t successful in conducting fraudulent transactions, they can still crash your website by flooding it with requests. Auth0’s research has found that in a credential stuffing attack, a site’s traffic can spike by as much as 180-fold.
Critical Tools in the Fight Against Ecommerce Fraud
Fortunately for retailers, there are effective methods to deter bots without creating unnecessary obstacles for legitimate users. Since most eCommerce fraud takes the form of broken authentication attacks — meaning that fraudsters impersonate legitimate users—the fixes all relate to being able to more accurately verify user identities.
Multi-factor authentication (MFA) demands that users prove they are who they claim to be by providing an additional form of verification beyond the classic username-password combination. Common MFA methods include one-time codes sent to a user’s email address and biometric scans, such as fingerprints. While MFA is the single most reliable defense against identity-/authentication-based attacks, it is not a silver bullet. If retailers want to defend against automated attacks, they have to think about security in layers.
In 2019, NIST started recommending that retailers implement MFA to fight eCommerce fraud, but adoption has still been slow. That’s partly because retailers worry that MFA will introduce too much friction and will make customers abandon their carts. But MFA standards are constantly evolving to be more seamless and secure. For instance, Microsoft recently told its customers not to use SMS as an MFA delivery mechanism because cell phone lines are vulnerable to multiple forms of attack. (They recommend hardware keys as the least susceptible to attack.)
You want to find out about eCommerce fraud before you get a call from a customer’s bank asking you to reverse fraudulent charges. To stop these transactions from ever taking place, you need tools that automatically flag suspicious behavior.
Brute force protection is one such tool, which prevents bot armies from overwhelming your site or app with login attempts. Enabling brute force protection locks out IP addresses after a certain number of failed login attempts.
CAPTCHA (and its assortment of bot-catching descendants) helps to lock out bots at the account creation stage by having human users prove “I’m not a robot” and, occasionally, tricking bots into proving that they are.
Breached password protection protects against credential stuffing attacks by monitoring databases of compromised credentials and alerting users if they need to change their passwords.
It’s important to note that none of these technologies are foolproof, and none are designed to work in isolation. Some hackers have learned how to spoof fake IP addresses to mask brute force attacks. CAPTCHA always struggles to stay ahead of sophisticated bots that can mimic human behavior. And while retailers can force users to change their passwords in the event of a breach, they can’t change the underlying problem of password reuse. Even MFA, the bedrock of a sensible security strategy, works only if you convince or compel your customers to sign up for it.
But even though there’s no single silver bullet to prevent eCommerce fraud, implementing these features together offers superior protection. Scammers generally seek out the path of least resistance, and when you have all these tools, you don’t present your business as a soft target.
Prevent Fraud by Updating Customer Access Controls
We’ve talked about the threats to eCommerce retailers and the tools to protect against them, so the question now is, how do you go about putting those tools in place? For many retailers, the solution is to partner with a third-party customer identity and access management (CIAM) provider. That’s because building fraud-preventing tools in-house is time-consuming for any business, and it’s out of reach for most small to medium-sized retailers. But sticking with the simple login solution you’ve had in place for years is clearly no longer an option.
But as we’ve discussed, all fraud-prevention tools are not created equally. Here’s what retailers should look for when analyzing potential CIAM partners.
There’s no reason to challenge every loyal customer to prove their identity every time they make a purchase, so retailers need step-up or adaptive MFA, which requests additional credentials only in the event of suspicious or high-risk behavior. For example, you may want to verify a customer’s identity if they log in with a new device or place an order above a certain dollar amount.
Auth0’s Adaptive MFA analyzes every login attempt and assesses its risk level. This assessment included a user’s IP reputation, whether the login is coming from a known device, or whether its geographic location indicates so-called “impossible travel.”, Based on these factors, it then determines whether the login can proceed uninterrupted, triggers MFA, or blocks the account altogether.
Comprehensive Attack Protection
Likewise, retailers need anomaly detection that lets them combine the strongest tools available to deter scammers. Auth0’s Attack Protection offers an arsenal with which businesses can protect themselves. That includes Bot Detection, which forces suspicious logins to take a CAPTCHA test. Suspicious IP Throttling and Brute Force Protection block IP addresses from trying to break into user accounts. And Breached Password Protection notifies customers if a user’s credentials have been compromised in a known data breach. Lets customers implement CAPTCHA and enable brute force protection, and notifies them about breached passwords.
Here’s a look at Auth0’s Attack Protection tools.
Developer-friendly documentation and support
Finally, in order to put safeguards in place as quickly and easily as possible, retailers should look for a CIAM solution that provides a high level of documentation and support. While many identity providers have similar suites of tools and services, the time it takes to implement them can vary widely depending on what kind of instructions they give to developers. Having clear documentation and customer support is particularly important to smaller businesses, who don’t have dedicated authentication professionals on their teams.
An IAM Partner Can Get You Holiday-Ready
It’s been an indisputably challenging year, but retailers have risen to the occasion by embracing eCommerce solutions. And as 2020 comes to a close, it’s increasingly clear that eCommerce isn’t just a stopgap solution for the pandemic — it’s the new status quo. That means that updating security is a worthwhile investment for the entire coming year, not just the holiday rush. To learn more about how state-of-the-art identity can protect your customers and your business, reach out to the team at Auth0.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding billions of login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.