Blog / account takeover
Cracking account security: How merchants should protect their customers’ accounts
An overview of how merchants should protect their customers from account takeover through credential stuffing and how weak security can result in reputational damage.
Over the years there’s been a rapid increase in the number of consumers that have fallen victim to account takeover. According to UK prevention service Cifas, identity fraud hit a record high of 174,523 cases in 2017, with 95% of takeovers involving the impersonation of an innocent victim.
Account takeover is usually a case of poor authentication, verification and weak password security, which has presented a wide open door for fraudsters to open new accounts with those stolen details, take over good accounts, and wreak havoc in a merchant's customer base.
This blog explains the implications for merchants and how should they protect their customers to ensure the security and safety of account details.
The impact of account security for merchants
The most valuable asset for any e-commerce company is its customer accounts. Loyal customers mean repeated business and trust built between the brand and consumer. Good customers turn to brands they trust when searching for a product, spend time on their site and would confidently recommend that brand both socially and to their friends.
One of the biggest cost for e-commerce businesses is the cost per acquisition for new customers and getting them through the door. So once they have the good users, retaining them and keeping them on the site is key.
But as technology has advanced, so have customer expectations. A frictionless shopping experience is desirable, often essential, when ordering with a merchant.
Tech giant Amazon are a great example of providing a flawless shopping experience. Customers can make a purchase with 1Click and not submit further payment details. It’s a fantastic shopping experience for the customer.
However, think of the damage that can be done if this accounts gets in the hands of a fraudster - purchases can be made instantly and repeatedly without needing to provide payment details - read more about this here. Whilst Amazon are a great example of a merchant that breaks down the barriers between the desire to buy something and card abandonment, it also shows how important account security can be when providing this level of transaction.
Responsibility in the hands of the merchant
In the past, the assumption has been that having weak account credentials is the consumers’ fault. We all are lazy. We use the same password across a variety of merchants, and that’s pretty normal - it’s hard to remember different symbols and keys for different logins.
E-commerce merchants should understand this and take the initiative themselves to bring new measures into effect and provide the security. Bringing in stronger authentication methods such as 2FA is a great way to keep the customer protected.
The epidemic of weak account security is spread across a variety of industries too. Gambling companies often report millions of credential stuffings every single day. There’s a tsunami of hacking going on. As consumers use the same combinations, fraudsters follow the exact same footsteps and use the same combo on lots of other merchants. And they have bots and machines to do this for them in incredibly efficient and cheap ways.
How should merchants fight back against weak accounts?
Companies should be using the same resources as fraudsters. There are over three billion username and password combinations available on the internet from the big data breaches and hacks over the years. Every merchant should gain access to this database and ensure that when a new customer signs up with them, they’re not permitted to use the same details if it had been compromised previously. Although this may cause a bit of temporary friction, the bigger picture of security outweighs any delayed account opening time.
And account security should be seen as a benefit and value add for companies - companies known for having bad security will quickly lose market share and people will avoid using them. Protecting the customer is essential for any brand who wants to succeed in the long run.
A great example of good account security is Google. If a new location has been used to log in to a customer's account, the customer gets an update. If someone is using a new device, consumers get a notification to confirm it is them. Companies have this data on the consumer and should be using it to protect against fraud.
What are the consequences of bad account security?
A Javelin Strategy and Research Study that is focused on USA data states that Account Takeover (ATO) has grown significantly with total losses from ATO fraud hitting $5.1 billion in 2017. For merchants, it’s not just the cost of replacing goods or refunding payments - it’s also the time spent by support teams dealing with angry customers and other teams tackling the legal and operational fallout.
A loss of credibility goes a long way for a business known for bad security and weak account protection. And we’re only starting to see the beginning of it: this is going to become an even bigger problem with the explosive use of social media and customers taking to the platforms to complain about brands.
And it’s no longer only the larger companies that come with this level of responsibility. Merchants should ask themselves if they’re asking enough questions, analysing enough data and using machine learning techniques to track spending patterns. If an account suddenly starts going on a random spending spree then companies should intervene.
Whilst consumers don’t want to be morally lectured by a merchant, noticing an irregularity in spending is always worth asking the question if the account has been compromised, rather than risking losing a good customer. Consumers will appreciate being notified and indeed might come to expect it as public awareness of account takeover as it becomes more widespread.
On the other hand, we understand that account behaviour is a very difficult pattern to detect. Anomaly detection with machine learning requires anomalous behaviour to take place. It’s essentially just an account buying goods - and if the fraudster is sensible, they’ll adopt a `low and slow` approach. Small purchases first instead of making extravagant ones so nothing is flagged up in a merchants database. The ‘low and slow’ trend has become popular amongst fraudsters to impersonate the spending actions of a genuine customer. This reinforces the point that no single ATO defence on its own will be sufficient. A range of tactics deployed across the customer journey is the best way to protect the all-important customer lifetime value.
How to shut the open fraud door
Merchants should provide security on a “Google level” to not allow odd behaviour. Dive deep into customer data and analyse behaviors. Use location and device sign-ins to build a picture of what's normal for the customers. Customers tend to have consistent shopping patterns - if something is strange then it should be challenged. It shows that the merchant values the customers’ details and cares about account security. And it’s always better to be safe than sorry.