Ecommerce companies have to balance two big ideas right now:
- A low-friction customer journey that turns into a high conversion rate; and
- A high-security marketplace that is compliant with government mandates.
This balancing act can feel like a typical schoolyard dilemma: Two kids on a seesaw, and maybe one of them — the high-security kid — is a little heavier than the other. They aren’t bouncing anywhere.
However, unlike the simple joy of a seesaw, this decision is much more complex and dynamic than an up-or-down binary. Even so, there are ways to satisfy both your security team and revenue team, provided you are able to leverage the correct tools inside your system.
Why Conversion and Security Aren’t Mutually Exclusive
Whether your ecommerce storefront is an omnichannel model like BOPIS or just a simple Shopify page, managing card-not-present payments is a persistent challenge. Inevitably, fraudsters will approach your marketplace and stress-test your systems, looking for vulnerabilities. Upon finding them, suspicious chargebacks, account takeovers and bot attacks will likely appear in the gaps where your attack surface is weakest.
The common understanding is that in order to control fraud like this, layers of churn-inducing authentication need to be introduced into the customer journey. Particularly at a time when stores are rushing to offer customers a click-and-collect checkout option, security friction and checkout conversion are often positioned opposite one another.
Not true, though. Conversion and security can actually be friends. Most of the time they can play quietly together for an entire afternoon and you don’t even know they’re there.
This is achieved by implementing a fraud detection tool that provides a system of dynamic friction in the customer journey, only putting up layers of security when it seems necessary. By looking at the digital footprint of incoming traffic throughout the customer journey, fraud solution software can learn about users in your marketplace before they even reach the payment stage. This way, depending on your risk appetite, only customers who are scored above a certain danger threshold can be asked for more identifying information, while the majority of obviously authentic users can enjoy a smooth checkout.
Keeping Security Behind the Scenes
For the sake of user privacy, this is not an invasive process, either. Digital footprints often consist largely of Open Source INTelligence (OSINT) data, which is readily searchable on the public internet. Inside of that data, the first touch points to look at are a user’s IP address and the device they are connecting to the market with, as soon as they enter the website.
Before any information is actually provided by the user, the fraud software might become aware of things like:
- Whether the IP address has a poor reputation associated with fraud
- Whether the user is connecting via a VPN or Tor client
- A strangely high number of users at the same IP address
- A strangely high number of users using apparently the same device
- A device being emulated
Each one of these points (and more) may hide a characteristic associated with fraud, which the fraud software can then use to inform a risk score for that user, before any transaction has even begun.
At further touch points through the customer journey — opening an account, signing up for a newsletter, downloading an app — more information can be gathered before money enters the picture. Each data point the user submits — name, location, age, phone number, etc. — expands into more publicly available data that fraud software can then scrutinize.
For example, a reverse phone lookup, including a basic CNAM [Caller Name, a component of CallerID] or HLR [Home Location Registry] lookup, will turn up the name of the number’s registered owner. It could also turn up a user’s social media accounts tied to the number. While a user’s public Facebook posts typically won’t be useful for fraud prevention, a phone number not associated with any social accounts is often a sign of a recently created profile, which could potentially point to a fraudster. Fraud software may also discover a phone number that is known to belong to a disposable “burner” or originates from a Voice over Internet Protocol (VoIP) — even more suspicious.
By the time customers reach the checkout stage and provide their final data points (their payment info), many fraud solutions might have a pretty complete digital profile already and know whether or not to trust their payment based on the calculated risk score.
As every company’s books require different balancing, many fraud solutions offer customizable risk scoring, allowing you to decide what behavior poses the greatest threat and how risky a person can be before they are stopped for manual review or flat-out banned.
Throughout that process of scrutinization, obviously authentic users that probably make up the majority of any customer base had minimal friction from the time they arrived at the website to the time they converted into a sale. They may not have even been aware they were passing through any security measures at all.
On the other end of the spectrum, fraudsters were red-flagged early, before any transaction could occur, potentially avoiding the multiplicatively expensive chargeback process from an instance of triangulation fraud or an account takeover.
In the middle, customers with a medium risk score had to provide a few more credentials, at worst a phone call or two-factor authentication pop-up. Consider the price in friction that is the tradeoff for using anonymizing tools like a VOIP phone number or VPN. This kind of dynamically applied friction also helps mitigate customer frustration with fewer false positives.
Keeping the Sandbox Clean
Notably, creating the most conversion-efficient and secure environment of dynamic friction is not a magical process, and requires maintenance to maximize both confidence and ROI. As your company’s offerings diversify into profit-proven models that thrive in low-friction marketplaces, like a BOPIS click-and-collect model, or working with a BNPL provider, it’s important to be aware that each new arm comes with its own, potentially large attack surface.
Covering that attack surface with a security blanket of dynamic friction might seem drastic, but fraudsters will be looking for leaks to turn into floods, and without security, your bottom line might end up looking like a soggy diaper — and that means playtime is over.
Gergő Varga has been fighting online fraud since 2009 at various companies — even co-founding his own anti-fraud startup. He’s the author of the Fraud Prevention Guide for Dummies – SEON Special edition. He currently works as Content Evangelist at SEON, using his industry knowledge to keep marketing sharp, communicating between the different departments to understand what’s happening on the frontlines of fraud detection. He lives in Budapest, Hungary and is an avid reader of philosophy and history.