By Alisdair Faulkner, ThreatMetrix
According to the National Retail Federation (NRF), 2013 holiday retail sales increased 3.8% over 2012, for a total of $601.8 billion. With the NRF and industry insiders predicting even more robust growth this year, retailers will be prime targets for cybercriminals during the 2014 holiday shopping season.
But here’s the catch: To properly protect their companies from the latest cyber threats, retailers need to improve their holiday season security systems in ways that won’t damage the user experience for legitimate customers.
Advertisement
Cyber Threats And The 2014 Holiday Season
Ready or not, the holiday shopping season will arrive early this year, with many retailers once again launching holiday sale promotions before Thanksgiving. This year, retailers and consumers will also experience another short holiday shopping season, since there are less than four weeks between Black Friday and Christmas.
As we approach the 2014 holiday retail season, there are several factors that will impact e-Commerce security:
- An abbreviated selling season and aggressive holiday promotions mean that eTailers will experience an incredibly large volume of transactions in a short period of time. Since most online retailers lack the bandwidth to manually inspect every order, the industry will lean heavily on automated solutions to weed out fraudsters.
- Account takeover attacks are increasing. Weak passwords, password reuse and data breaches are making e-Commerce sites a prime target for monetizing stolen identities. As Apple now knows following the celebrity iCloud pictures leak, you don’t need to suffer from a network breach for your customers to blame you for their weak passwords. A number of retailers including Target and Office Max, as well as banks such as JP Morgan-Chase, have been breached recently, enabling fraudsters to leverage stolen identities and commit fraud more easily.
- Use of mobile is also increasing. More than 20% of payment transactions come from a mobile device and many companies are not ready for the differences in both device and user behavior that could inadvertently get good customers caught in the fraud net.
Retailers clearly need to ramp up their security strategies to protect their businesses and their customers from cyber fraud. But the question that relatively few retailers are asking may be the one that most seriously impacts annual revenue: how many good customers will get caught in the net of automated security systems this holiday season?
E-Commerce Security Trends And Strategies
More than ever, retailers need to develop strategies that improve online security without threatening the quality of the customer experience. For the 2014 holiday season, there are several trends and strategies that e-commerce providers need to consider:
- Mobile Holiday Shopping: Mobile traffic accounted for approximately one in five online sales during Q4 2013. Mobile sales are expected to increase even more this year, so eTailers need to be prepared to address mobile security risks. Across the board, retailers must resist the temptation to rush the development of mobile apps to meet holiday deadlines or give customers the ability to bypass security steps on mobile devices for the sake of convenience. These activities increase risk because they don’t adequately prioritize security. Finally, the rollout of Apple Pay and other mobile payment solutions mean that brick-and-mortar retailers need to take extra precautions when dealing with these types of card-not-present transactions since they will quickly become high priority targets for cybercriminals.
- Username and Password Checkout: This year, many retailers will begin to implement username and password transactions, enabling customers to avoid entering their credit card information at checkout. For example, Visa Checkout allows customers to complete transactions with registered online retailers using a username and password connected to a secure backend system. Although the system leverages contextual information to rapidly verify the authenticity of the transaction, e-commerce providers that set up their own username and password system will have a difficult time separating friends from foes in-house. To improve security and protect the customer experience, eTailers should consider enlisting the assistance of a third-party automated identity and cyber threat intelligence provider.
- Cookies: Many shoppers now eliminate cookies from their devices on a weekly or monthly basis. Consequently, deleted cookies can no longer be used as a marker for suspicious transactions. To avoid creating unnecessary friction with good customers, online retailers should leverage cookieless device identification and a shared global intelligence network to evaluate shopper credibility and maintain system security.
- Europay-Mastercard-Visa (EMV): Retailers that do not adopt EMV global standard chip card payments systems by October 2015 will be held liable financially liable for fraud losses. Although EMV technology is designed to reduce in-store fraud by eliminating outdated magnetic stripe technology, it will likely result in more cyber fraud activities. With merchants just starting to make the transition to EMV payment systems, e-Commerce providers need to evaluate their EMV-readiness and take steps to prepare for 2015 deadline.
Ideally, the holiday retail season presents opportunities for online retailers to improve loyalty by dazzling new and existing customers with an exceptional customer experience. By carefully evaluating holiday season cyber threats and implementing the right security technologies, e-Commerce providers can protect the customer experience and do a much better job separating fraudsters from legitimate customers.
Alisdair Faulkner is a technology entrepreneur who has nearly two decades of experience building products and delivering mission critical technologies that are run by the world’s most trusted brands. As chief products officer and co-founder at ThreatMetrix, he is responsible for product management and strategy. Prior to ThreatMetrix, Mr. Faulkner was a founder and head of products and business development for NetPriva, a leading network performance software provider, acquired by Expand Networks now Riverbed. Alisdair holds a master of engineering degree in information technology and telecommunications from Adelaide University, a graduate diploma in applied finance from the Securities Institute Australia, and has authored several patents in the fields of security, fraud and networking.