While sitting here writing this article, I was able to buy groceries, my mom’s birthday present, a dress for an event later this week, and a new vacuum cleaner. Ten years ago, accomplishing that much in the middle of a workday was unheard of (unless you were having a “sick day”). However, with retailers like Amazon always available to fulfill your needs, you can buy just about anything at any time without much effort. And why is purchasing through Amazon so effortless? They start with the experience at account creation.
The average U.S. email address is associated with 130 accounts, which means consumers are ready and willing to create accounts with sites they regularly frequent. There are many benefits to having these accounts: receiving promotions, saving payment information, even getting suggestions for future purchases based on browsing history. There is no better way for a retailer to get to know the customer and provide them an optimal buying experience than through an account. Unfortunately, fraudsters also know this to be true.
There are two ways in which a fraudster can exploit the consumerretailer’s account relationship.
1. Account Take Over (ATO): With the millions of consumers involved in recent data breaches, any email/password combination exposed often results in a compromised account with another retailer.
2. Synthetic ID: Understanding that consumers often get priority treatment when purchasing through an account, fraudsters will create what may look like a good account in order to utilize it for as much personal gain as possible, before a retailer gets wind and shuts it down.
How do companies handle the delicate balance between a great customer experience and risk mitigation at the point of account creation and log-in?
Account Opening
Most merchants want to create as little friction as possible at account creation, asking for only the most necessary information. At this stage, they usually collect name, email address, IP address, device ID, and perhaps behavioral data. Validating, verifying, and accessing third party networks allow a merchant to decide if an account appears low risk or if they should implement a progressive sign up flow. At this point, merchants may choose to request more information (such as phone number or physical address) or implement two-factor authentication to ensure the account opener is who they say they are.
Account takeover fraud (ATO) rates, especially via mobile device, have skyrocketed in recent years, costing businesses billions of dollars. Managing this threat, which involves a bad actor taking control of customer’s account to make fraudulent purchases, presents a great challenge to both the customer and the merchant. Following an attack, the merchant, who has consistently seen good behavior from a customer, can be caught off guard by a sudden chargeback. And the victimized customer, who shops frequently with this merchant, no longer trusts they are in safe hands. Risk assessment at account creation helps the merchant to minimize friction, while not losing sight of nefarious players.
Account Modification
Risk assessment shouldn’t stop at account creation, it should be part of the lifecycle of the account and with any modifications that take place, merchants should utilize relevant data across the ecosystem to reduce friction while continuously keeping the risk of fraud low. Therefore, in a world where fraudsters are increasingly sophisticated in recreating customer identities, data from multiple sources can help find unique markers that identify the actual human behind a digital identity. Whether they change the shipping address to get the physical good, the email address to avoid the real consumer from getting your confirmation, or there is suddenly a new device ID – there is a signal that this might be account take-over. Merchants can leverage identity verification within their models to monitor changes in behavior to avoid not only a loss in goods, but more importantly, a loss in the customer’s trust.
Machine Learning and Customer Trust
Sourcing identity verification data is only a part of the challenge, even after ensuring security and privacy needs are met, the more significant struggle is in putting this data to good use across the ecosystem. The use of machine learning (ML) modeling to assess risk can help. The unique needs of proactive, real-time fraud detection, including large and diverse data sets, real-time decisions, and continuous learning cycle times, make the account ecosystem a good candidate for ML modeling. We observe it in practice: our customers that use ML models realize disproportionately higher benefits versus those who only use rule-based systems.
Understanding the customer’s context is the way to drive better user experience and an excellent user experience also drives consumer trust. To build a better online experience, you need to understand the context that brings consumers to your platform. But there is never a silver bullet to achieve this, and the context keeps changing even within each customer’s journey, which is where proactive fraud prevention across the account lifecycle can help merchants establish and maintain customer trust.
Hi Katie: thanks for this article. From what you have described, businesses face a conundrum: whether to mitigate fraud risk by adding ‘friction’ to the intake (i.e. account capture) process, or making it drop-dead easy for customers to buy. Both pathways carry their own inherent risks, albeit different ones, for vendors and customers.
My research has revealed that a common element in any fraud is a usurpation of trust. In the physical world, this involves mimicking signals such as eye contact, representing a recognizable office location or through other symbols. In the online world, the mimicking takes on other forms, including copying logos and brand messages, and conveying authority. In both situations, the outcome is the same: the customer lets down his or her guard, which is the fraudster’s tactical objective. When that happens, the commission of fraud becomes likelier.
I’m interested in learning your thoughts about a potential antidote that could mitigate some risks, although I’ve rarely seen it used: rather than stamping out fraud fires as they occur, vendors manage the threats at the beginning of the relationship or transaction. They could do this by extinguishing opportunities for fraudsters to hijack trust, such as alerting customers from the get-go that “we never send emails requesting you to submit immediate payment. . . We never request account numbers or alternate forms of payment via email . . . we never ask for the following identity information . . . ” Letting customers know what to expect down the road itself builds trust, and repeating and reinforcing those messages at regular intervals serves as another way for vendors to let customers know that their information and financial safety is a mutual concern that is worth protecting.
Thank you for your comment, Andrew! Yes, one way to mitigate risk would be to educate the customer what they can expect from the merchant and how to protect themselves from potential phishing accounts. However, there are more ways for a fraudster to get credentials beyond phishing, including massive data breaches. I think it would be wise for the merchant to take an even more proactive & behind the scenes approach.
There is a balance between opening the flood gates or making it entirely too difficult at account opening. A merchant doesn’t want to prevent potential customers from opening an account with them, simply because there were too many steps. A great example of this would be signing up for a rideshare app.
When you first create an account with a rideshare, they ask you for the bare minimum information – your phone number. They then send you a code via SMS that you enter, and then you are ready to ride. Often times, as a first time rider, you’ve received a promotion of $25 worth of free rides, with the assumption you will become a long time customer afterwards. However, this is also a very attractive incentive for fraudsters.
There is crucial information in that phone number that can help prevent this fraud. One can assume that riders are entering their mobile phone numbers, as they are almost always ordering a ride from their phone. However, they can also just as easily use a non-fixed VoIP phone number (Google Voice, Skype, etc.) to provide the same function. These numbers are free, fast and easy to generate, allowing a fraudster to essentially ride for free for a long as the promotion lasts. With information like this, the rideshare company can create a progressive sign up flow, adding friction by asking for more information when the phone number looks risky. This progressive sign up flow is the balance between making the account creation simple for potential customers, and more challenging for those who are showing signs of risk.
Now, another thing to consider is account takeover of a trusted customer. A fraudster who has taken over a good account will always change something – shipping address, phone number, email address, device ID. A merchant should continue assessing the health of the account by continuing to perform risk assessment when these data points change. Again, friction can be added anytime something changes. Amazon does this to me anytime I add a new shipping address or change my payment method. And they have done this without compromising the ease of purchasing.