Security has always been a hot topic on the retail agenda, but the rise of m-commerce has trigged new concerns among businesses. But is clamping down on cyber crime criminalising consumers, asks Tony Larks is Director of Research and Comminications at ThreatMetrix?
In 2014, European mobile spending hit £20 billion – almost £8 billion of that coming from the UK alone – an incredible result, considering it was less than £3 billion three years ago. In fact, 25% of all online transactions now come from mobile devices. But as the saying goes, there’s no gain without pain.
For retailers with a mobile presence, this pain has come in the form of customer authentication. Smartphone and tablet devices are harder to trace and secure, due to the nomadic nature of their location.
Not only that, but cybercriminals are constantly looking for new targets to exploit – and the mobile opportunity is red hot right now. High profile security breaches such as April 2014’s heartbleed bug, which left around half a million secure web servers vulnerable to attack, have led to retailers seeking more stringent ways to identify who is using their mobile channels and why.
Where have my customers gone?
However, it’s not just the threat of fraudulent activity that retailers are concerned about. Suddenly loyal shoppers who have been interacting with their brand for years through their verified laptop or desktop portal have begun shopping through new, unrecognised mobile devices. Effectively, this means many of them have ‘disappeared’ overnight, becoming – in the eyes of the retailer’s security system – an unknown entity.
The consumer doesn’t realise this, though, and expects to continue shopping with their favourite brands in the manner they’ve become accustomed to. Therefore they are much more likely to be deterred from making a purchase when faced with complex security protocols unlike the minimal requirements they are required to comply with on familiar devices.
When does a criminal look like a customer?
This situation leaves retailers with a dilemma: do we have tight security regulations, and risk turning away high value customers, or do we relax authentication processes and increase our vulnerability to fraud attacks?
To add to the problem, cybercriminals are becoming more sophisticated at creating online personas that look like genuine shoppers. Today, there are over 83 million fake Facebook accounts, while professional software exists to help fraudsters create convincing email accounts via Hotmail, Yahoo, Outlook and such like.
By mimicking natural behaviour patterns, these phishers, malwarers and men-in-the middle are being treated like real customers. On the other hand, authentic shoppers whose behaviour patterns may look suspicious to current verification systems – such as privacy conscious tech users who regularly clear cookies, or business travellers that log on from irregular locations at inconsistent times of day – may be turned away for suspicious activity.
How can I separate customers from criminals?
Retailers are aware that user identification is crucial to online security – 98% of fraud prevention is down to better customer authentication – however, what they don’t realise is their current systems are making verification an inconvenient, unfriendly process.
The main issue with many of today’s systems is that they rely on consumers proving who they are at the point of purchase, whereas retailers should be creating better buying experiences by making it easier for consumers to identify themselves from the outset.
Instead of looking at shoppers as a series of patterns, retailers need to treat them like what they (supposedly) are: people. If they know who customers are based on real personas, they have a more accurate measure of the risk of doing business with them.
Achieving this means determining key information like who and where they are, what device they are using and what they were doing last time they connected. This relies on retailers adopting a single platform that provides comprehensive context-based authentication and persona recognition.
Not only with a single, multi-factor solution can retailers discover suspicious activity before the checkout – such as multiple login requests or password sharing attempts – but it is better optimised to verify activity across all devices, including smartphones and tablets.
How can improving mCommerce authentication benefit my business?
The benefits of moving away from traditional verification solutions to contextual authentication are tangible; ThreatMetrix has found that customers using our solutions have seen a 70% reduction in false positives – customers wrongly identified as criminals – and a 50% decrease in fraud loss.
Not only that, but the smoother identification process has positive gains – on average, basket abandonment rates fell 50% after transitioning to persona recognition.
Of course, improving security is not just a story of hard facts and figures. More importantly, it protects retailers’ reputations, which cannot be repaired or recovered from as quickly as financial losses.
What multi-factor authentication solutions ensure is not just that businesses protect their customers today, but that their security solutions can evolve as consumer shopping patterns change – and continue to safeguard their personal data well into the future, no matter what (as yet unknown) device they are using.