The Supply Side: Cyberattack risk on consumer accounts rises as online shopping soars

Two of three consumers who shop online said they would stop buying from retailers if their accounts were compromised and more than half (54%) would delete their accounts.

The results are according to a marketing survey by cybersecurity firm Riskified. It was completed during the COVID-19 outbreak as more consumers were making purchases online. Target reported online sales more than doubled in the first quarter, and Walmart grew U.S. online sales by 74% in its first quarter.

Additional insights showed 39% of respondents would go to a competitor in the event of an account breach, and one in three would tell friends to stop shopping with a retailer.

“Our survey shows that merchants are aware of and concerned with account takeover attacks, but they usually lack the ability to identify and prevent them,” said Assaf Feldman, Riskified’s co-founder and chief technical officer. “Without a dynamic approach that evaluates all relevant data, merchants risk significant financial losses, frustrated customers and damaged brand reputations.”

The survey also polled 425 retail merchants and found while there has been plenty of ink spilled in recent years from cybersecurity breaches and account takeover attacks, 27% reported they don’t have measures in place to prevent the attacks. Another 35% of merchants reported at least 10% of their accounts have been breached in the last year.

Feldman said account takeover attacks happen when a bad actor gains access to a legitimate customer’s account. What often happens next is chargebacks by the merchant. But fraudsters love account takeover attacks because they are difficult to stop, he said.

Feldman said after an account is compromised, the merchant can do nothing with their business because the fraudster has accessed the account and may be using store data to place orders, all while the retail merchant has no idea this is happening.

Of the customers who have been victims of account takeover attacks, only 7.5% said they were contacted about the breach from the retail merchant. The rest learned about it from their credit card company (36.3%), received an order confirmation (26.3%), saw the unauthorized purchase on their account (16.9%), or had their account details or password changed (13.1%).

Feldman said this creates a “really bad customer experience,” and that’s why the majority will stop doing business with the retail merchant. The costs can be huge for retailers as 83% of customers said they have accounts on individual sites for shopping. Three-quarters of them said they do most of their online shopping with retailers where they have accounts. There is also a loyalty level among consumers with 42% saying they shop more frequently at online stores where they have accounts.

He said more than 67% of merchants surveyed said at least half of their orders come from customers with online accounts. More than half (58%) of merchants said account holders spend more per purchase than customers who use guest checkout. Roughly 60% said account holders purchase more frequently than consumers who use guest checkout.

Feldman said because account takeover attacks require only login and stolen passwords, merchants have less data with which to evaluate the action, making detection and prevention difficult. The survey found merchants are failing to do so as 24% said they can’t identify a breach during purchase and 14% said they are not even aware a breach has occurred unless the customer contacts them.

Feldman said retailers that take steps to reduce account takeover attacks also risk hurting the customer experience. He said the most common way to prevent an attack is requiring two-factor authentication for login attempts (62%), which can frustrate legitimate customers and increase cart abandonment.

Many merchants also require complex passwords to increase security, with (73%) reporting that account passwords must contain a mix of characters, numbers, symbols and uppercase and lowercase letters. Feldman said this can help security, but it also increases friction and does little for customers who reuse passwords, meaning store accounts are at risk through data breaches on other sites.

“That’s a real concern, as 47% of customers admit to using the same password for two or more online stores,” Feldman said.

He said using advanced machine learning solutions is one-way retailers can help to mitigate the risks of security breaches in customer accounts. Feldman said advanced machine learning can instantly recognize legitimate customers and ease their path to checkout.

“Suspicious actions can be verified or blocked to minimize damage. By doing so, merchants maximize revenue while giving their customers a great experience,” he said.

Riskified said retailers annually lose billions of dollars to legacy fraud solutions, payment failures, high friction verification methods. The cyberattack experienced by Target in 2013 cost that retailer more than $300 million, and Home Depot’s data breach in 2014 cost more than $179 million. In November 2019, Macy’s e-commerce site was hacked by a third-party, embedding malicious code into Macy’s online checkout page.

A skimming code was also placed on Macy’s Wallet page, used by account holders to store payment credentials. The malware gathered names, full addresses, phone numbers, email addresses, payment card numbers, card security codes and payment expiration dates of shoppers who made purchases through the Macy’s website.

Feldman said retailers can mitigate the risks of account takeover attacks by using Riskified’s machine-learning solutions that recognize legitimate customers and keep them moving forward.

Editor’s note: The Supply Side section of Talk Business & Politics focuses on the companies, organizations, issues and individuals engaged in providing products and services to retailers. The Supply Side is managed by Talk Business & Politics and sponsored by Propak Logistics.