The E-commerce market has seen tremendous revenue growth during the pandemic. Along with that good news for E-business, there has been an increase in fraudulent activities online that may cost retailers over $20 billion in losses by the end of 2021. According to eMarketer, worldwide retail E-commerce sales posted a 27.6% year-over-year growth rate in 2020, with sales reaching well over $4 trillion. Experts predict E-commerce revenue will approach $5 trillion this year and reach $6.388 trillion by 2024. In the US economists believe, E-commerce will account for a record 18.9% of total holiday season retail sales. Holiday shopping season starts earlier every year and will be here before you know it. What are some of the main concerns that E-tailers should prepare now to address?
Online credit card skimming increases in popularity
Client-side attacks have emerged as a significant threat to e-commerce operations over the last few years. These attacks are also known as Magecart attacks, online skimming or formjacking. This type of attack involves injecting malicious JavaScript into first-party code or into the code of third-party services (the supply-chain) used on legitimate websites. For example, an attacker can push a seemingly innocuous exploit into a popular open source JavaScript library that is widely used across multiple websites, compromising the code and every site using it. Due to the nature of JavaScript executing on the client-side, it enables the attacker to collect sensitive personal information directly from the client each time a customer enters their information into a form. But it doesn’t end with exploiting checkout pages to steal credit card information. Similarly, login pages can be abused to grab user credentials. Essentially, Magecart attacks optimize bot attacks by feeding them with stolen data to be used in credit card fraud and account takeover attacks. And because 65 percent of people reuse their passwords, attackers can gain access into multiple accounts of the same person. It’s important to understand that these are single-record data breaches, that due to the difficulty of detection, usually occur over long periods of time. As such, the costs involved with a successful attack on a business are substantial. From noncompliance fees levied by compliance regulations such as of PCI, GDPR, CCPA to reputational damage, legal fees and more.
Account takeover fraud is a growing concern
Account Takeover (ATO) is a form of identity theft where a bad actor gains unauthorized access to an account belonging to someone else. Alarmingly, despite their name making an impression of a complex break into an account, this isn’t quite the case. A lot of these attacks do not require much technical expertise. Instead, they rely on capturing leaked credentials online and using automated web browsers to test these against login pages at scale. This is usually achieved through credential stuffing attacks. In these, bots are being used to perform mass login attempts in order to verify the validity of stolen username & password pairs. According to Imperva’s Threat Research Labs, online retailers experienced more than twice as many ATO attempts as all other sectors in 2020. Saved credit card information, gift card balance, loyalty points and other customer benefits make E-commerce a ripe target. Brand damage, revenue loss, chargebacks and increased customer support costs are just a few of the implications of a successful account takeover attack on an online retailer.
Credit card fraud and chargeback fees
Carding is a good example of a bot attack that is optimized by Magecart attacks. It is an automated threat carried out by bots, in which attackers use multiple, parallel attempts to authorize stolen credit card numbers on websites that have checkout forms. The goal of carding attacks is to identify which card numbers or details can be used to perform purchases. Recently, one million stolen credit card numbers were leaked on hacking forums in an attempt to promote a new criminal carding marketplace. The ramifications for online businesses, especially online retailers, is significant. In addition to the damage done to owners of stolen credit cards, carding attacks negatively affect businesses whose websites are used to authorize stolen credit cards. This is a result of chargebacks – disputed transactions that result in a merchant reversing them and refunding the purchaser’s money. While chargebacks can happen for legitimate reasons, they are very often the result of fraudulent techniques like carding. They hurt the business’ reputation with the credit card processors and may lead to poor merchant history and chargeback penalties.
Bad bots shop, too
In October 2020, we recorded a 788 percent increase in bad bot traffic to retail websites, coinciding with the launch of the new gaming consoles and GPUs, as well as holiday shopping and lasting through Black Friday. Throughout the year, 22.7 percent of traffic to retail websites consisted of bad bots, of which a staggering 62.8 percent were classified as Advanced Persistent Bots. The 2021 holiday shopping season is shaping up to be similar. The global chip shortage is only worsening, and may last well into 2022. This matters because highly coveted electronics like gaming consoles, GPUs, smartphones, laptops and other consumer electronics are in short supply. And where there’s short supply for a high demand product, scalpers armed with bots are on high alert. Scalping is the act of purchasing limited stock items to then resell them for a higher price. From simple bots that scrape product pages for available inventory to full-fledged bot operations that make use of highly sophisticated bots, scalpers gain a competitive edge over the average consumer. The inability to purchase the items results in legitimate customers being frustrated with brands and retailers. It damages reputation and customer lifetime value as well as conversion rates.
The side-effects of bot traffic mismanagement
Retailers that are caught unprepared and without a bot management solution in place can expect degraded performance leading to slowdowns and potential downtime, which according to Gartner costs $5,600 per minute on average. Additionally, for online retailers that experience downtime there’s more at stake than just lost sales. Damaged brand reputation, diminished search engine optimization (SEO), and unsatisfactory conversion rates are just a few of the repercussions. Today, consumers are highly sensitive to page load times. The average bounce rate for pages loading within 2 seconds is 9%, and it skyrockets to 38% by the time it hits 5 seconds. Implementing a bot management solution that eliminates bad bot traffic, not only reduces the risk of downtime, but also improves average page load times, thus reducing the bounce rate.
Customer experience is key
One particular challenge of bot management is maintaining top-class customer experience (CX), all while not compromising security. According to Google commissioned research conducted by Forrester, improving security and detecting threats are naturally the top two capabilities that decision-makers look for in a bot management solution. However, improving CX was the third most highly rated priority for business leaders. According to Forrester, there is a direct line between improving CX and growing your bottom line. This means that besides cutting-edge detection and mitigation techniques, retailers must look for a solution that doesn’t compromise on the user experience.
Better fraud prevention with Imperva
Imperva’s WAAP (Web Application and API Protection) stack combines best of breed solutions that protect your business from edge to database. Two key components of it are Advanced Bot Protection and Client-Side Protection. Combined, they improve security posture by enhancing fraud prevention:
- Advanced Bot Protection reduces business risk by safeguarding your online store from bad bots that perform business logic attacks. Importantly, it doesn’t get in the way of legitimate customers, preserving customer experience and ensuring business continuity. It mitigates all OWASP automated threats including account takeover, web scraping and online fraud. With protection for websites, mobile applications and APIs, Advanced Bot Protection has got all of your access points covered.
- Client-Side Protection mitigates the risk of your customers’ most sensitive data landing in the hands of bad actors. It prevents supply-chain fraud from Client-Side attacks like formjacking, Magecart and other online skimming attacks. Client-Side Protection automatically scans for existing and newly added services on your site, eliminating the risk of them being a blind-spot for the security team. The solution empowers your security team to easily determine the nature of each service, and block any unapproved ones.
Try Imperva’s Application Security Suite today. Start your Application Security free trial now.
Try Imperva for Free
Protect your business for 30 days on Imperva.