This article was originally published by Kris Imbrechts.
The deployment of automated bots to buy promotional stocks, credential stuffing: a look at the cyber-risks related to the growth of online sales.
According to the latest report on e-commerce, published in early February by Fevad, online sales have grown by 8.5% in 2020 with a turnover of 112 billion euros. The sector, which represented 9.8% of retail trade in 2019, reached 13.4% in 2020, with 17400 additional e-commerce sites, and 1.8 billion transactions recorded. Boosted by health restrictions and the shift of customers from physical retail outlets to online shopping platforms, e-commerce saw its best year ever in 2020, and played a crucial role in maintaining economic activity in France.
At the same time, we have seen an increasing number of online scams, with malicious actors ready to take advantage of this spike in online traffic. In this context, and as more and more consumers go digital, the business owner is faced with major challenges: how to continue to operate in an attractive and productive way, while safeguarding himself - and his customers - against attacks? How to invest in robust fraud prevention tools without complicating or altering the customer experience, at the risk of causing attrition or cart abandonment?
The widespread use of bot attacks
The cybersecurity landscape in which e-retailers operate is constantly evolving, with new threats emerging all the time and cybercriminals redoubling their efforts to innovate in this area. The deployment of armies of automated bots is emerging as a common denominator put forward by retailers.
This type of attack against online retailers manifests itself in several ways. Traditionally, bot armies buy up an entire inventory of popular or high-demand items to resell later at a profit. Bots scan e-commerce platforms around the world. As soon as an item is put on sale, they alert their creators so that they can catch the consumers in a hurry. Some even buy the product automatically, faster than a human being. This happened in real time when the latest Nintendo Switch consoles appeared on eBay in 2020 for hundreds of euros more than the initial price, causing frustration among gamers around the world.
Identity is the key to cybercriminals' success
Many bots base their attacks on identity, posing as legitimate users. For example, "credential stuffing" attacks, where hackers exploit stolen login information, have multiplied in recent years. More specifically, to perpetrate these attacks, they exploit lists of usernames and passwords from previous hacks, many of which are freely available on the Internet. Assuming that users tend to reuse their passwords, cybercriminals can exploit the billions of stolen credentials currently circulating on the dark web, as was the case recently with Gmail accounts or the health data of nearly 500,000 French citizens stolen from laboratories. E-tailers are particularly exposed to these attacks.
Methods exist to counter bots without affecting the experience of real customers. Since most e-commerce frauds take the form of fraudulent authentication attacks, where scammers pose as legitimate users, the solution is bound to be about confirming users' identities.
Multi-factor authentication (MFA) forces users to prove that they are who they say they are by providing an additional form of verification beyond the traditional username/password combination. This represents the most effective weapon against identity-based or authentication-based attacks. Common MFA methods include unique codes sent to a user's email address, and biometric identifications such as fingerprints.
However, some merchants have been unwilling to adopt these methods, partly because of concerns that multi-factor authentication would introduce too many hurdles into the customer's shopping journey and lead to shopping cart abandonment. Yet, thanks to developments, today's MFA standards are actually simpler and faster.
Fighting fraud to build loyalty
Consumers are growing more demanding and volatile. So, to ensure their engagement and loyalty, while limiting the risk of friction, it is necessary to avoid requiring existing customers to prove their identity with every purchase.
Rather, e-merchants can use a progressive or adaptive multi-factor authentication method, which requires additional credentials only in the case of suspicious or high-risk behaviour. For example, verifying a customer's identity may be necessary if they log in with a new device, or if they place an order over a certain value. With scams becoming increasingly prevalent and sophisticated, merchants need more than ever a way to prevent these fraudulent transactions from happening - before they get a call from the customer's bank for a cancellation. To help them do this, tools that automatically flag suspicious behaviour are available on the market.
However, while merchants can force users to change their passwords if they are stolen, they cannot prevent them from being reused. Although MFA is currently at its best in terms of security, it can only be used and be effective with the consent of the users, which means that the merchant must use persuasion to encourage its use. In view of the risk of losing customers, an effective defence against attacks is therefore based on multilayered security. Indeed, if total prevention of fraud in e-commerce is not a reality today, the joint implementation of these techniques unquestionably makes it possible to improve protection. Malicious actors are looking for the easy way out, and when these protection tools are in place, companies are no longer seen as easy prey, and the attackers move on to another easier target.
2020 marked a watershed for e-commerce. Merchants and customers have tailored their shopping practices to online sales, establishing a new consumer norm that is expected to last beyond the pandemic. This creates opportunities for criminals to use consumer identities for malicious purposes. For this reason, simply relying on a traditional login solution is no longer an option for merchants. Striking the right balance between user identity verification and providing an optimal customer experience will be one of the challenges of future e-commerce, and will play a key role in building customer loyalty.