Interviews, insight & analysis on digital media & marketing

Protecting against rising ecommerce fraud and bot-based attacks

By Regional Vice President, UKI & MENA, Auth0

For ecommerce, 2020 was a momentous year. Sales shot up 37% over 2019 as people turned to shopping online while physical stores were closed during national pandemic-related lockdowns.

However, as more of us continue to dive into the digital world for all our shopping needs, opportunistic bad actors are keeping pace. In fact, in 2020, medium-sized to large retailers reportedly experienced 14% more fraudulent transactions per month than in 2019.

Retailers today are facing two key challenges – how to provide an engaging and unique online experience to shoppers without falling victim to fraudulent or bot-based attacks, and how to invest in fraud prevention technologies that won’t add unnecessary friction and thereby lead to undesirable churn or cart abandonment? 

Surge of bot attacks 

As the internet continues to evolve, so too do the list of threats that retailers have to grapple with. However, one common concern that keeps appearing in our customer conversations and analysis of attacks is the sheer scale of automated bots being deployed and executed globally. 

These attacks previously took the form of a swarm of bots buying up all the inventory for in-demand items – such as concert tickets or limited edition fashion items – to later be resold at a significant markup. This trick has since evolved for highly sought-after gift items too, so bots can now also scan global websites for the exact moment an item goes on sale to then alert their owners who can buy the product automatically or immediately. 

We saw this not too long ago, when PlayStation 5 consoles were bought up in bulk and resold for hundreds of pounds more than their original value. Naturally, this is frustrating millions of legitimate customers worldwide. It has even caught the attention of MPs who since called for increased legislation to prevent the resale of in-demand goods bought using bots. 

Identity’s role and fighting against fraud

Most bot attacks use identity to impersonate genuine users and purchase goods with stolen credentials. Credential stuffing attacks have surged in recent years as people still tend to reuse passwords, despite all the advice not to. Hackers are very much aware of this and continue to exploit the billions of stolen login information circulating the dark web. 

This poses a significant threat to ecommerce retailers, especially with the rise of ‘Click and Collect’ services which means fraudsters can now collect their goods before anyone is even alerted to a breach. 

However, retailers have the power to fight back against fraud with effective tools that help verify user identities more accurately. One example is multi-factor authentication (MFA) which requires users to provide an additional form of verification to identify themselves than just a humble username and password. MFA often involves one-time passcodes being sent to a user’s phone or email, or even biometric authentication such as fingerprints.

When used correctly, MFA is the single most reliable defence against identity or authentication-based attacks, yet adoption among retailers is slow. This could be due to concerns that MFA introduces too much user friction, but the advancement of MFA now means it is far more seamless and secure.

Yes, having to provide additional credentials at every single login can be cumbersome, but with adaptive MFA, the technology works smarter, and only requests secondary information when a login is deemed risky or suspicious. For example, if a customer usually signs in from Birmingham on their iPhone, adaptive MFA would kick in if a login attempt is suddenly made from Buenos Aires on an Android device.

Brute force protection is another tool that can prevent retailer’s websites or apps being suddenly overwhelmed by armies of bots, as it can immediately lock out IP addresses after a certain number of failed login attempts. 

These are just a few examples of the many anti-fraud tools that make life harder for bad actors – and there’s no single technology that can claim to do it all. Retailers need to think of security in layers and implement a range of features to fend off attackers. However, building effective security tools in-house is incredibly time-consuming, and not practical for small to medium-sized retailers. This is exactly why many businesses partner with a third-party customer identity and access management (CIAM) provider to ensure their customers are kept as safe as possible.As 2021 shows no signs of ecommerce sales slowing, retailers need to be able to protect their customers’ identities and prevent attacks before they happen. Those retailers that embrace today’s advanced ecommerce solutions will find it is entirely possible to successfully balance customer convenience, security, privacy, and still maximise their trade during this ecommerce boom.