Retailers lack ability to identify and prevent ATAs

New research from Riskified shows the extent to which retailers are vulnerable to account takeover attacks.

A survey of 1,000 UK consumers and 121 e-commerce professionals found that 20% of the former have had one of their online shopping accounts accessed without permission in the last year alone.

26% of retailers admit that they don’t have any measures in place to prevent account takeover attacks. On top of this, 52% think online fraud will increase because of the coronavirus outbreak.

Purchases made using compromised store accounts are hard for retailers to detect, because they look like they are made by legitimate returning customers. For instance, 23% of retailers say they can’t identify an ATA during a purchase, and 8% are not even aware that an ATO has occurred unless a customer contacts them. Just 4% of consumers learned their accounts were compromised from the retailers.

51% of customers would likely stop buying from a retailer if their account was compromised. 52% of customers would delete their account. 37% would go to a competitor. 34% would tell their friends to stop shopping with the retailer.

44% of the retailers surveyed use two-factor authentication for login attempts. Many also require complex passwords to increase security, with 79% reporting that account passwords must contain a mix of characters, numbers, symbols and uppercase and lowercase letters.

This can help security, Riskified says, but it also increases friction and does little for customers who reuse passwords, meaning that store accounts are at risk through data breaches on other sites. 48% of customers admit to using the same password for two or more online stores.

Assaf Feldman, Riskified’s Co-founder and Chief Technical Officer, says: “Without a dynamic approach that evaluates all relevant data, retailers risk significant financial losses, frustrated customers and damaged brand reputations.”

“Advanced machine learning solutions can instantly recognise legitimate customers and ease their path to checkout. Suspicious actions can be verified or blocked to minimise damage. By doing so, merchants maximise revenue while giving their customers a great experience.”