Convenience is a top consideration for retail customers, but security is not far behind. While unexpected fees are the top reason for abandoned carts, 21% of users give up due to complicated login and checkout processes, and 17% leave because of security concerns.
For e-commerce retailers, convenience and security seem diametrically opposed. Protecting accounts and systems involves putting up roadblocks to deter bad actors, but legitimate customers must also navigate those hurdles. Convenience and security can coexist, but balancing the two is a significant challenge.
Growing threats to online retailers
Companies must develop strategies to thwart a variety of schemes, not all of which are perpetrated by bad actors. Customers can also commit fraud. Retailers are up against:
● Account takeovers
An account takeover happens when a fraudster gains illegitimate access to an account. This could be a customer or employee account. Bad actors exploit customer accounts to place orders, steal customer information, change customer details, and swipe loyalty points, among other nefarious deeds. Hackers use employee accounts to access sensitive customer data and hijack the retailer's system. Fraudsters use phishing, social engineering, credential stuffing, and bot attacks to execute this scheme.
● Payment fraud
When people think about payment fraud, they typically picture a bad actor stealing customer information or testing credit card numbers, but that's only one form. Retailers also experience friendly fraud, where a customer files a chargeback with their bank for a legitimate purchase. A customer could also initiate a return and either not send the correct item back or return the item in used condition.
● Account creation fraud
Many people have created multiple accounts from different email addresses to take advantage of free trials and new user discounts or subvert purchase limits and paywalls. Multi-accounting is fraud and proves very costly to retailers.
● Location spoofing
Some users manipulate their device's IP address, use a VPN, or employ other techniques to fake their device location. They may do this to obtain lower prices, circumvent regional restrictions for things like streaming services, or cover their tracks when committing other fraud schemes. While VPNs have legitimate uses, they can also be powerful tools for fraudsters.
Many retail sites employ strong password requirements, one-time passwords, multifactor authentication, and CAPTCHAs to deter fraud. Unfortunately, all of these add additional friction for customers. So, how do retailers reduce the hassle?
Strategies to balance experience with security
The answer to deterring fraudsters is not more locks — it's smarter doors. Companies have several options to remove friction for their customers.
● Single sign-on
This approach allows users to log in to multiple accounts with a single set of credentials. Google's SSO is a popular example. People can connect their Google accounts to third-party apps, allowing those organizations to use Google as an identity provider. SSOs reduce the burden of creating, remembering, and entering passwords. Often, users can log in with one click.
● Biometric authentication
Nearly 65% of consumers believe on-device biometric authentication is easier to use than traditional methods requiring a password and a one-time code. Biometrics are unique physical characteristics, such as fingerprints and facial recognition, that are hard to replicate and easy for users to access.
● Adaptive authentication
Companies can use risk-based assessments to adopt a tiered security approach. This strategy allows retailers to evaluate the risk of individual login attempts. For example, an account login from a returning device poses minimal fraud risk while a device signing on from a foreign country could be using location spoofing or compromised credentials. An account with multiple failed password attempts may be a credential-stuffing attempt. With adaptive authentication, companies can trigger additional authentication methods — like MFA — for unknown or suspicious logins while not requiring them for trusted devices, streamlining the customer experience.
Device intelligence support
Consider the analogy of an exclusive nightclub: These solutions act like the bouncer. They show people on the list get to the VIP door, while everyone else has to show their ID.
Device intelligence supports tiered security by using device fingerprinting to assign each visitor a unique ID, allowing companies to recognize a device when it returns to the site. These solutions also flag suspicious visitors by evaluating device characteristics, such as IP address, screen resolution, and operating system. A device with unrealistic system specifications is likely a bot, while one with a mismatched IP address and timezone may be spoofing its location. Evaluating user behavior, such as the same device logging into multiple accounts, also gives insight into the threat potential. Site visitors flagged by the device intelligence platform must complete additional security steps.
An added benefit of recognizing returning devices: Retailers can customize the customer experience, such as resuming the person's shopping journey or tailoring the homepage content to their interests. People want businesses to be able to recognize them. A recent Experian report found 63% of surveyed people said it's extremely or very important for businesses to be able to accurately identify them online.
Genuine users shouldn't carry the security burden of elaborate password requirements and multiple login steps. Retailers must assume more responsibility. By implementing robust back-end solutions that streamline logins and assess threats, retailers can turn fraudsters away at the door and roll out the welcome mat for customers.