Ensuring security in the online shopping world can be a tricky business for ecommerce retailers, with a sizeable minority not being prepared for account takeover attacks and equally as many customers willing to walk away if they suffer from one.
This was revealed by payments and fraud-prevention solutions provider Riskified, which announced these insights, among others, in a survey detailing the effect of account takeover attacks on ecommerce merchants and customers. The research revealed that over a quarter of ecommerce retailers are not prepared for an account takeover attack, and that two in three customers would stop shopping at the online retailer if they suffered such an attack.
Account takeover attacks, also known as ATO attacks, occur when a bad actor gains access to a legitimate consumer ecommerce account, obtaining full control in order to use it for fraudulent purposes. These data breaches are carried out using a variety of methods, including credential stuffing and login attempts using known username and password combinations.
Consequences can be severe for both the account holder and the online retailer, and can include identity theft for the former and a loss of reputation and business for the latter.
Key takeaways for ecommerce platforms
Riskified’s survey revealed not only the prevalence of account takeover attacks across the internet, but also the lack of knowledge and preparedness on the part of many online retail vendors.
According to the study, over a quarter of ecommerce vendors (27%) admit that they would not be prepared if they were to be struck by an account takeover attack. A full two-thirds (66%) expressed grave concern about such attacks, with more than one in three (35%) reporting that more than 10% of their total accounts had been taken over in the past 12 months.
The results of the study also hint at a degree of obliviousness about account takeover attacks among ecommerce retailers, in spite of their prevalence. Interestingly enough, for example, as many as a quarter (24%) of ecommerce retailers claim that they are unable to identify account takeover attacks at all, with one in every six (14%) going so far as to say that they would be unaware of an account takeover attack unless a customer were to notify them after having fallen victim to one.
Key takeaways for ecommerce customers
Ecommerce customers are a rapidly growing consumer base for whom the prevalence of account takeover attacks should be concerning.
About seven in every ten (69%) of consumer respondents report concern that their account could be hacked, with a sizeable two-thirds (65%) asserting that they would stop shopping at an online retailer altogether if their account were to actually be hacked.
Should this occur, according to the report, customers respond in a wide variety of different ways, with more than half (54%) choosing to delete their breached accounts, one-fifth (39%) opting to shop at a competitor, and almost a third (30%) even going so far as to recommend that their friends stop shopping with the retailer.
Somewhat shockingly, the Riskified researchers also revealed that a mere 7.5% of consumers who fall victim to account takeover attacks learn the news of the breach from the retailer. According to the report, the remainder only find out about the attack when they notice changes to their accounts, or when they see that unauthorized purchases have been made.
Account takeover attacks a challenge among many
With more and more of the world beginning to shop online—particularly in light of the ongoing circumstances surrounding the COVID-19 pandemic—the risk and prevalence associated with ATO attacks is as pressing today as it has ever been in the past.
“Our survey shows that merchants are aware of and concerned with ATO attacks, but they usually lack the ability to identify and prevent them,” explained Assaf Feldman, Riskified’s co-founder and CTO.
According to him, without a dynamic approach that strives to balance all the relevant data, online vendors risk “significant financial losses, frustrated customers and damaged brand reputations”. Given that solutions to prevent ATO attacks are within reach, Feldman noted, vendors should be doing more to prepare, and to better respond to their customers when things do go wrong.
One such way to make ecommerce accounts more secure and to reduce the risk of suffering from data breaches is to implement multi-factor authentication methods. According to Feldman, fraud prevention solutions can be even more effective when combined with artificial intelligence and machine learning technology.
“Advanced machine learning solutions can instantly recognize legitimate customers and ease their path to checkout,” he said. “Suspicious actions can be verified or blocked to minimize damage. By doing so, merchants maximize revenue while giving their customers a great experience.”