As the definition of “customer” continues to expand in the world of online business, so do the ways companies define how they handle fraudulent online activity.
Today’s online customer is not found only within a 20-mile radius of your brick and mortar store. Customers are coming from around the world to browse and buy on your website. These global customers connect with your store across multiple devices from various connection points. And businesses struggle with determining how to keep the company and their customers safe from fraudulent activity. Legacy fraud detection services and advanced authentication tools are not helping the situation because they often lead to a high number of wrongly declined transactions and challenged orders.
Gartner®, in its recent report, “Don’t Treat Your Customer Like a Criminal,” by Tricia Phillips, Jonathan Care and Akif Khan,1 described the challenge this way: “While the concept of risk-based authentication has been around for more than a decade, in an effort to lock down fraudulent activity, many organizations have created a narrow and inflexible definition of ‘normal and acceptable’ behavior. Fraudsters clearly understand these boundaries and can navigate them.”
Customers today shop with a variety of devices, flitting from one to the other during the same shopping journey. Needless to say, they bristle when they encounter barriers retailers and brands erect in order to avoid fraudulent orders. Often it’s the most valuable customers, with their high-order values, that meet inconveniences such as identity challenges that in the end serve only to drive them away.
- It’s time to think the best of your customers and erect barriers that respond in kind to the risk at hand.
- Technology in general and machine learning, in particular, can help you balance security and seamless experiences.
- A new era of e-commerce, complete with new and more complicated consumer habits, calls for new ways of avoiding fraud and consumer abuse.
So, what’s the answer?
It’s entirely possible to achieve both goals — to provide a convenient shopping experience and protect the enterprise from fraud with an identity-centric solution. The goal should be to meet each level of risk (hi, low, medium, for instance) with the least amount of customer-authentication friction.
From the Gartner report:
“It is time for a paradigm shift in which we assume the positive intent of our users.
It should be possible, outside of acute fraud attacks, to use technology to safely enable a low-friction authentication or purchase experience for approximately 98% of human users. This can be accomplished by:
- Expanding our understanding of “normal” customer behavior.
- Investing in tools to more accurately assess intent based on risk signals rather than binary rules.
- Defining the risk level and context of each specific business interaction.”
A three-prong solution to creating an authentication process that works
Signifyd for years has been advising merchants to avoid treating their customers like criminals. Perhaps easier said than done. The answer is data, lots of it and the means to analyze its meaning. Treating your customers like celebrities, rather than criminals requires learning machines that digest thousands of signals to separate fraudulent orders from legitimate ones.
In short, merchants want to build a relationship based on trust, not suspicion. Let’s look at some ways innovative, machine learning approaches are able to do that.
1. Data-fueled artificial intelligence can pick up on bot activity and determine whether an order is from a legitimate customer or part of an automated fraud attack. Bot attacks are on the rise, according to Signifyd Ecommerce Pulse data — increasing by 146% during 2020.
As a result, some retailers have turned to suspicion-based solutions, such as adding CAPTCHAs or creating overly conservative rules that decline orders that appear to be high volume or high velocity.
Technology provides a trust-based solution: Putting learning machines on the case, machines that with a high degree of precision can detect the signals that indicate a bot attack while recognizing anomalies in orders that are most likely human-initiated.
Signifyd’s Decision Center, for instance, detects and manages unauthorized resellers who frequently turn to bots to corner the market by buying up inventory at a blistering pace. The fraud rings then, of course, turn around and sell the items at an inflated price.
Signifyd solutions can also detect and derail attempts at rapid-fire credential stuffing, a technique to commit large-scale account takeover, and automated card testing, by which fraudsters check to see if stolen credentials are valid and usable.
Mutual trust is the key to customer loyalty
These innovative solutions help legitimate customers and retailers to build a relationship of trust with one another that results in greater loyalty and engagement over time.
“For the majority of human-to-digital business interactions, the human user has positive
Intent,” Gartner’s “Don’t Treat Your Customer Like a Criminal” report notes. “Changing the paradigm of digital trust to start from that assumption, and utilizing machine-learning-based behavior analytics to flag indicators of abnormal or high-risk behavior, will enable improved customer experience and lower false-positive rates for the vast majority of consumers.”
2. Understanding consumer identity and intent is a key to building trust online.
You’ve probably heard the talking point: “Passwords are a thing of the past.” As much as some might wish it were so, we’re likely to have them for some time. That said, passwords tend to be a weak link in the chain of security around online transactions.
Consumers’ accounts are vulnerable to account takeover in part because so many consumers tend to use the same passwords across multiple accounts. In fact, Signifyd market research found that 54% of respondents admitted to using the same credentials across more than one retail account. And 43% said they used no more than four passwords across all the accounts they access.
For that reason and others, Gartner concludes: “It is safe to say that password privacy is long dead. This logically means that a user being able to successfully authenticate with their password provides little assurance of legitimacy.”
Are passwords dead?
This all suggests that passwords are no longer the reliable marker of online identity authentication that we’ve long believed. A user who successfully authenticates their identity isn’t necessarily the rightful owner of the account. At the same time, users who fail to remember their usernames and passwords are not providing an accurate indication of risk.
In time, behavioral biometrics will be the new password. They are already a vital tool in establishing online identity — the way a user mouses, types or browses a site are all elements employed to authenticate identity today.
#3 An adaptive approach to customer authentication takes a turn toward “trust, but verify
Common sense says the effort needed for a customer to authenticate their identity should be in proportion to the amount of risk involved in their transaction. But this often isn’t the case today. Want to buy a $17 T-shirt online? You might be required to log into an account — and in some parts of the world in certain cases, you might be asked to authenticate your identity via biometrics, such as a fingerprint.
You want to buy a $12,000 watch? Same thing.
The one-size-fits-all approach is changing, with innovative retailers realizing that high barriers for all comers do not make sense.
It’s time to rethink security
“The choice is no longer between high security and a seamless experience. A thoughtfully architected solution that utilizes the risk classifications for each possible action can offer an authentication experience where the required level of friction matches the risk of the action being attempted minus the current level of trust,” Gartner says in “Don’t Treat Your Customer Like a Criminal.”
Overall this seems to be a time of change for the online business world and how it views the balance between customer experience and online security. It’s imperative that ecommerce leaders start to rethink their online security strategy, how it is used to prevent fraudulent activity and how those elements affect a shopper’s experience.
We are seeing that these redundant authentication practices are not keeping fraudsters away, but rather frustrating legitimate customers to the point that they are choosing to take their business to merchants and brands that make it easier for them to get what they need.
- Gartner, Don’t Treat Your Customer Like a Criminal, By Tricia Phillips, Jonathan Care, Akif Khan, 1 July 2021
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Want to balance protecting your enterprise with serving your customers? Read the report.