Over the past year and a half, traditional shopping has completely transformed. The pandemic shook up the retail industry as shoppers avoided brick-and-mortar stores and dedicated their attention online, putting a heightened emphasis on e-commerce. In fact, e-commerce sales grew 62% year-over-year from January 2020 and are expected to continue to grow. While this boom is good news, unfortunately, it has also created a similar spike in e-commerce fraud and digital retailers are susceptible to major risks.
Today’s Bot-Based Cybersecurity Threats
Before we discuss how to prevent and protect against e-commerce attacks, it’s important to first understand the specific threats at hand.
Bot-based attacks are some of the most prevalent attacks retailers face and take multiple variations. For example, one form is an army of bots that buy up inventory for in-demand items and resell them at a markup—similar to the common problem online ticket vendors experience. This can be particularly detrimental to retailers as the buyer will seek out competitors who sell the product they want, which can impact brand loyalty.
In other variations, bot attacks use identity as their vector, breaking in through a traditional login by impersonating legitimate users. With credential stuffing attacks—where hackers take user’s login credentials that were stolen in a data breach and use them to break into other accounts —e-commerce retailers are particularly at risk of these attacks, especially with the option of “buy online, pick up in store” (BOPIS). This threat continues to be prevalent as users often reuse passwords across multiple sites (according to a recent Auth0 survey, 86% of global consumers admit to reusing passwords), making the hackers more successful in their ventures.
How to Prevent E-Commerce Fraud
So, how can retailers continue to successfully offer e-commerce options to customers without exposing themselves to fraudsters? Fortunately, there are effective, modern identity management solutions to deter bots and hackers without creating unnecessary obstacles for legitimate users.
- Multi-factor authentication (MFA)
This is one of the most useful tools for fighting against bot attacks since it adds an additional verification layer (e.g. a SMS code to a mobile phone or email, or a biometric identifier such as a fingerprint scan) beyond a username-password combination. In fact, Auth0’s survey also revealed that consumers globally are more likely to sign up for an application or online service if they are able to log in with MFA (49%), however, only 29% of businesses offer MFA.
- Adaptive MFA
This context-based form of MFA requests additional credentials only in the event of suspicious or high-risk behavior and helps cut back on user friction even further. Adaptive MFA calculates an overall risk score that measures abnormal behavior from known devices, impossible travel, and/or IP reputation, to determine if a second form of authentication is needed.
For example, for a user who normally signs into their account at the same time every morning in New York from a personal laptop, Adaptive MFA would only present a second-factor authenticator if login was attempted outside of the region, usual timeframe, or from a different computer or IP address.
- Brute Force Protection
A tool designed to prevent bot armies from overwhelming your website or app with login attempts. Enabling this tool locks out IP addresses after a certain number of failed login attempts.
- Breached Password Detection
A solution that alerts users if they need to change their passwords in the event their password(s) has been compromised.
As retailers ramp up their digital offerings to align with current consumer behavior, security must be at the forefront of their business plans. Cyberattacks are constantly evolving and hackers are getting smarter by the minute, and it is important to understand that there is no silver bullet to prevent ecommerce fraud. Implementing a layered security approach will offer superior protection for your business and customers.
While fast delivery and a fun user experience can be enticing for customers, one data breach could destroy your business and scare loyal customers (and potential new customers) from shopping online at your store ever again. Security is a business enabler and worthwhile investment now and for the foreseeable future.
-Jameeka Green Aaron, CISO at Auth0, a product unit of Okta
Jameeka Green Aaron is the Chief Information Security Officer (CISO) at Auth0. Jameeka has over 20 years of Information Technology and Cyber Security experience. She is a versatile leader, successfully leading teams as both a CISO and CIO across various industries including; Aerospace & Defense, Apparel, Retail, and Manufacturing at both Fortune 100 and privately held companies and many spaces in between. She is highly skilled in Business Engagement (International and U.S. based) Audit, Compliance, Vulnerability, Risk and Identity Management, Digital Transformation, Mergers, Acquisitions, Divestitures, and leading Cross-Functional and Matrixed teams.