4 Tips for Embracing Digital Innovation without Risking Account Takeover Fraud and Customer Friction
Many online merchants and service organizations face a paradox: Customers are demanding more convenient digital services at the same time that cyberattacks targeting e-commerce and online services are skyrocketing both in number and in impact. This puts online businesses in the unhappy position of trying to embrace customer preferences for digital innovation while opening themselves to increased risk of fraud and other forms of cybercrime.
At the heart of this conundrum are three primary drivers. First, each new digital service or e-commerce site that organizations roll out expands the existing attack surface, giving criminals a larger target and making detection and mitigation more complex. Next, in most organizations, the groups most focused on defending against cybercrime are security and fraud teams, which often exist in their own siloes, rarely collaborating on cyber strategy or defense tactics. This hampers a coordinated approach to cybersecurity that could limit or prevent attacks and more quickly shut down breaches and fraud.
Finally, and somewhat ironically, certain customer habits and behaviors unwittingly increase exposure for online vendors and service providers. Around two-thirds of consumers reuse the same credentials (usernames and passwords) across multiple websites, according to Google research. And who can blame them? There are nearly 33 million e-commerce sites on the Internet, according to a BuiltWith e-commerce usage distribution report, and nearly all will require some form of username and password to make a purchase.
However, repeated reuse of credentials creates vulnerabilities that are easily exploited by cybercriminals and their armies of automated bots. Stolen or compromised credentials account for 54% of all security breaches, according to Hacker News, paving the way for one of the highest impact cyberthreat vectors of all: account takeover, or ATO. Using armies of bots, the attacker conducts automated login attempts at massive scale, a practice called credential stuffing, to discover which credential pairs are valid on multiple login forms. Because a significant fraction of breached credentials will also work to gain access to accounts at other sites, attackers can take charge of accounts, change credentials to lock out the legitimate account owner, drain the assets, and use the accounts to commit additional acts of fraud.
ATOs surged the first half of 2022, rising 131% over the same period of the previous year, according to a report in VentureBeat. The impacts are real: According to the Javelin 2022 ID Fraud Study, 22% of U.S. adults have been victims of ATO, and digital fraud losses are anticipated to surpass $343 billion globally between 2023 and 2027, according to reports in American Banker.
It seems clear that for many e-commerce and online services, embracing digital innovation also increases the risk of cyberattack and potential fraud loss. But that does not mean that organizations should restrict innovation and investment in new digital customer services and experiences. It means that organizations should embrace technical innovation to protect their digital channels from security and fraud threats.
Four Steps for Safeguarding Digital Innovation
Here are four proactive measures businesses can take to help them mitigate risk within their digital channels:
- Mitigate malicious bots. Over half of all traffic on the Internet is from bots, and while some of those bots are useful (chatbots, search engine crawlers), the majority are malicious. Bad bots scale automated attacks that snap up goods, hoard inventory, create fake accounts to commit fraud, slow web and app performance, and carry out ATO via credential stuffing. Take control of bot activity on your networks and web properties with advanced bot mitigation solutions that use rich client-side signal collection, aggregated data collection, and machine learning to prevent bot attacks in real time by automating ATO prevention.
- Stop manual fraud. When the ROI is high enough, attackers will bypass anti-automation controls with more-difficult-to-monitor manual fraud. Identifying manual ATO fraud in digital channels requires evaluating the truth of users’ identity and establishing their intent, but it must be accomplished without impacting the user experience of legitimate customers. Today’s sophisticated fraud solutions employ AI-based systems trained on verified human data to evaluate truth and intent to help stop manual fraud in real time without disrupting the customer journey for actual customers.
- Break down organizational siloes between security and fraud teams. While both fraud and security teams deal with the complexities of cyberattacks, they often approach the problem from different angles and with different tools. Security teams protect computing networks and external-facing applications from infiltration and exploits, while fraud departments focus on protecting online digital transactions and incident response. Both teams may be dealing with the impacts of the same incident or exploit, but if the teams don’t communicate, threat intelligence can be lost and the scale of the attack may not be revealed, a situation that only benefits attackers. Collaboration between fraud and security teams provides better visibility into attacks, improves monitoring and detection, and enables more focused responses.
- Reduce fraud without interrupting the customer experience. If organizations take steps to mitigate automated bot traffic, set up protections against manual fraud, and converge fraud and security teams for greater collaboration and more effective response to exploits, they are in the position to scale back conventional anti-fraud defenses that add friction to their customer journey processes. In other words, when fraud risk is controlled, businesses can largely remove irritating CAPTCHA puzzles and other annoying challenge-response tests, providing a greatly improved user experience for legitimate customers, without introducing fraud risk into your digital channels.
Expanding your e-commerce sites and other digital services doesn’t need to also expand your risk of cyberattack. Advanced bot and fraud mitigation solutions like F5 Distributed Cloud Bot Defense help you stay ahead of attackers while eliminating frustrating security frictions to improve your customers’ safety and experience online. Using sophisticated technologies such as threat intelligence modeling and machine learning to detect attacker techniques, Distributed Cloud Bot Defense deploys appropriate countermeasures in real time to counter fraud and ATO with maximum effectiveness, enabling your organization to embracing digital innovation without risking fraud and customer friction.
To discover the economic impact of bots to your organization, schedule a free bot-management business ROI consulting session. To learn more about credential stuffing attacks that lead to account takeover, read the F5 eBook Credential Stuffing 2022: The Latest Attack Trends and Tools. Or, read this solution overview to learn how F5 Distributed Cloud Bot Defense can help protect your online channels from attack and fraud.