Analysis: Can vendors balance convenience with security?
In a world where the threat from cyber criminals seems to be growing, online retailers are in the front line for attacks.
The industry, disrupted as heavily as any industry has been by the advent of the internet, is facing twin pressures: making the customer experience as smooth and as easy as possible while protecting the information that the customers have to use.
This picture is not unique to retail, of course. Recent research from ThreatMetrix found that fraudulent transactions and cybercriminal activity specifically targeting the financial industry increased 40 percent in the 12 months to February 2016.
But to a greater extent than financial services, retailers need to keep customers onside. If a financial transaction is onerous, it is usually a necessity so the customer will complete it anyway. When buying a product is involved, a customer may simply lose interest.
The attacks could come in many forms; ThreatMetrix noted the growth of botnets in recent months, which repeatedly hit websites with automated attacks in the hopes of stumbling upon the password. It could come through obtaining user credentials from another source and trying them on several different sites: how many people use the same password and email for Amazon as for less secure sites?
The threat is not theoretical. The British Retail Consortium (BRC)’s Retail Crime Survey 2014 found that fraud increased 12 percent in 2013 to 2014, with 135,814 incidents reported. The 2015 report saw fraud increasing 55 percent from 2014 to 2015.
In 2015, the report says, crimes of fraud reported in the survey increased from 136,000 to 210,000, while the retail industry experienced approximately 640,000 incidents of fraud compared to 520,000 in 2014.
24 percent of the retailers questioned said fraud would be the most significant threat over the next two years.
Most retailers had been the victim of some kind of cyber attack, with respondents saying that the number of cyber security breaches suffered by their business is increasing or remaining the same.
65 percent in the BRC report felt that their business was in a ‘good to excellent’ position to deal with cyber attacks.
However, data requested by the Financial Times from UpGuard, which gives companies a rating from zero to 950 based on the basic security protections that appear to be in place from the outside, did not support this.
Companies that scored highly included Aldi UK, Amazon.co.uk and Morrison’s, with scores of 846, 789 and 741 respectively. At the lower end of the scale were Matalan, Waitrose and Tesco with scores of 352, 399 and 409 respectively. George, H&M, M&S, Primark, New Look Asda, Spar, Lidl and Next all had scores under 510.
Several of the companies responded to the FT‘s request for comment, with most explaining either that the research had not taken into the account the full extent of their website or that the functions of their website did not require any additional security.
However, it does shed light on the importance of websites taking a proactive approach to security.
Increasingly, automated platforms using behavioural analytics are being used by retailers to vet transactions and ensure they are valid.
This removes the pay-off between security and convenience by turning the customer’s contextual information into an authentication method.
"All of our clients are trying to find the right balance between protecting customers and protecting privacy," says Mark Collingwood, Managing Director Growth Industries at FICO. "People want to buy anytime and anywhere."
The company, whose founders came up with the idea of credit card scores, provides solutions that help companies battle online fraud.
One of its customers is Shop Direct, which as a pure-play online retailer needs to nail the online security problem.
Shop Direct uses an enterprise fraud management solution built using the FICO Decision Management Suite monitors online purchases across the group’s retail sites, Very.co.uk, Littlewoods.com and VeryExclusive.co.uk.
The solution scores every transaction in real time, comparing the multiple facets of the transaction against the customer’s profile to detect unusual patterns.
"In implementing our original solution we needed FICO to build two fraud models to even further improve our fraud detection rates and assist us in moving over existing rules into their service," says Neil Chandler, Shop Direct’s CEO Financial Services.
When the company moved to the new Blaze system, FICO took the existing rules and coded them for the new system and providing training to key staff. The two systems were run in parallel before switching over completely.
Chandler says that identify theft and impersonation are the biggest fraud challenge faced by the retail industry.
"Being an online business means we need to have the right tools in place to detect these types of frauds quickly," he explains. "Fraudsters are always looking at new ways to exploit any weaknesses in our systems, so we need to be prepared."
The use of live analytics, according to Chandler, is required since live threats are constantly evolving.
"Shop Direct wants to provide an optimal service and want to be able to deliver next day and as this explosion takes place the demands on the organisation become harder to carry," says Collingwood.
The solution uses a wide range of data, such as the details of previous purchases. The data is that available to the client, with some clients allowing customers to opt into revealing their location as a security measure.
We should expect customer data to become a more and more important tool in retailers’ fight against fraud.