By Doriel Abrahams, Principal Technologist
Consumer accounts are under attack more than ever, increasing every year. The availability of credentials for sale on the most popular stealers markets increased by 145% between 2022 and 2023. Bots have made credential stuffing and password spraying easy on a vast scale. And now, generative AI is making those attacks even easier.
All this makes many teams wary of expanding the features and benefits connected to accounts. This can cause friction with growth-focused teams and limit how a company can encourage increased engagement with its brand.
But it doesn’t have to be that way. As I’ve learned, account protection is possible — and can be a real business asset and a fraud prevention essential.
With Accounts, Success = Threat
What makes finding the right balance between account protection and expansion for customer use tricky is that, in a way, success leads directly to increased threats. The features that customers love in their accounts with their favorite online stores and apps are precisely those that make the accounts more attractive to fraudsters.
Giving customers the option of saving a payment method or storing funds in the account — often a very popular feature — makes future purchases so easy that your users don’t need to give it a second thought and gives them a sense of investment in their account. The flip side, unfortunately, is that fraudsters now have easy access to customer funds.
For the company and its fraud fighters, what this means is that your accounts are now vastly more lucrative and tempting to fraudsters because they represent easy money. And word gets around the criminal ecosystem fast — you’ll likely see an uptick in attacks quickly, possibly even before most consumers know about the new feature.
Generative AI & Bots
You don’t need to be comfortable with coding to use ChatGPT and other generative AI models, which opens up new avenues of speed and efficiency for fraudsters (as well as respectable professionals). I’ve mentioned before some of the testing I’ve done with ChatGPT to see how much easier it makes the minor details of fraud attacks.
Generative AI is even more of a level-up for fraudsters with some basic coding skills. If script kiddies have been an irritating thorn in fraud fighters’ sides for years, now think about script kiddies with ChatGPT to finish their sentences, find their bugs for them, and suggest improvements. All this is without even discussing the uses we’ve already seen for creating malicious software and aiding social engineering.
For now, it’s early days, and fraudsters and fraud fighters alike are exploring the impact and potential of these new tools, but there’s no denying that all this increases the pressure on account protection. Even when you’re only considering the possible risks for a new feature, there’s so much to consider. All within the context of the steadily increasing threat of ATO.
Creating Uplift Potential
Fraud fighters do not run a cost center for their business. Fraud fighting is part of revenue optimization. If you think about it, that defines the role — finding the optimal balance between risk prevention and conversions/customer experience. Revenue optimization.
Strong account protection has a vital role to play. From what we see at Forter, 58% of merchants want to increase the features available via accounts if they can be confident that the accounts are protected from fraudsters. Here are just some examples of account features we’ve seen our retailers enthusiastically adding once they feel able to do so responsibly:
- Extending login sessions (reduced friction)
- Expanding the use and flexibility of loyalty points (increased engagement and stickiness)
- Storing payment methods in the account (reduced friction and abandonment)
- Adding omnichannel features so that customers can use their account even when they’re shopping in-store (increased options and engagement)
- Storing funds in the account (merchant pays less in processing fees)
Fraud departments who invest in account protection can come to discussions about features like these and expand customer engagement with a positive attitude that builds trust and appreciation at all levels of the organization. I’ve seen the huge impact that can have over time on the perception of the department in the company.
Protect Accounts Across the Customer Journey
Forter’s CISO, Gunnar Peterson, recently shared his thoughts on some powerful components in protecting accounts. He points out that the mindset needed in today’s dynamic online environment is to assume that your customer’s account information has either been compromised or will be soon. So, you need both a “detect” and “protect” mindset. I couldn’t agree more.
Account protection must infuse every aspect of a user’s interaction with your site or app — protecting login or checkout isn’t enough. A mindset of detection involves continual analysis of every aspect of activity a customer can engage in and ensuring that anomalies are flagged and acted on.
It’s a natural extension of the protective work fraud fighters already do. Those willing to invest a little to take their account protection to the level already reached at checkout will open up new value for their accounts, customers, and companies. And here’s the other thing, which I personally find irresistible: Since you know more about your customers, it even makes stopping fraud easier, too!
Doriel Abrahams is the Principal Technologist at Forter, where he monitors emerging trends in the fight against fraudsters, including new fraud rings, attacker MOs, rising technologies, etc. His mission is to provide digital commerce leaders with the latest risk intel so they can adapt and get ahead of what’s to come.