Identity Theft in eCommerce: How DTC Brands Can Protect Themselves
Your eCommerce store is at risk of identity theft. In fact, the threat is probably much bigger than you’d care to think.
Identity theft is the most common type of eCommerce fraud, says UKTN Online News Editor Alara Basul at Ravelin. It accounts for almost three-quarters of all attacks and doesn’t just rely on stolen credit card details. Email and user accounts, names, addresses and other identifying information is used by attackers trying to look like real consumers.
There are two ways you can fall victim. Hackers can either try to steal your consumer data or they can use stolen data to make fraudulent purchases. You’ll need to take steps to prevent both methods if you’re to successfully secure your store.
Protect Consumer Data
The first step in protecting your brand from identity theft is to stop hackers from getting access to consumer data. Weak data protection measures don’t put only your consumer at risk, they put your reputation at risk, too.
Collecting data is a necessary part of doing business, says Dan Scalco Founder and Director of Growth at digital marketing company Digitalux, but it’s also a big responsibility. “When customers share this information, they’re trusting your business to keep it safe. If you fail to do so, they’ll be more than willing to take their business elsewhere.”
Start By Requiring Strong Passwords
You can implement the strongest security measures available, but consumers can still be put at risk by their own actions. If they have weak passwords, their accounts are susceptible to breach regardless of the measures you take.
That’s why it’s important to demand consumers create long passwords that contain a mixture of letters, numbers and symbols, says EmailAnalytics Founder and CEO Jayson DeMers. Provide real-time information on their password strength so they’re incentivized to make it as strong as possible and encourage them to change their password often.
For brands that want to go further, DeMers recommends educating consumers on cybersecurity best practices like logging out of accounts, using secure networks and avoiding common online scams.
Even the strongest password is not secure without multifactor authentication, however. MFA requires visitors to use one or more additional forms of authentication, using a text or app to confirm login. MFA can eliminate almost all credential stuffing attacks, where hackers use bots to automatically try different combinations of common usernames and passwords, explains Martin Gontovnikas, VP of Marketing and Growth at identity management platform Auth0. Implement MFA and you’ll make it much harder for user accounts to be hacked.
Only Store the Data You Need
Storing as little information as possible is one of the best ways to protect your brand and your consumers from identity thieves. Hackers can’t steal data you don’t hold, says Neill Feather, Chief Innovation Officer at SiteLock. Remove any sensitive consumer information that isn’t absolutely essential to business, or go even further and avoid storing this kind of information in the first place.
If you choose to store data, you need to encrypt it. Visa and MasterCard require retailers to encrypt card details during checkout, but this data must also be encrypted on your servers, explains Timothy de Paris, Chief Technology Officer at digital experience analytics platform Decibel. Don’t stop at encrypting payment details, either, he adds. Hackers can use any stolen personal information to facilitate identity theft.
Finally, try to encrypt that data while it’s in transit, advises entrepreneur AJ Agrawal. “This preventative method can actually limit or completely eliminate security breaches, protecting businesses from lack of credibility and profit loss.”
Choose a Secure eCommerce Platform and Update Software Often
There are a lot of things to consider when choosing an eCommerce platform, says PCMag Analyst Gadjo Sevilla, and security needs to be one of them. He recommends looking for a solution that includes encrypted payment gateways, an SSL certificate and authentication measures for both buyers and sellers.
A good eCommerce solution will automatically update elements on your behalf, but if it doesn’t, it’s important to stay on top of patches and updates. Out-of-date applications are vulnerable to hacks, explains Megha Parikh at marketing platform SEMrush.
“They can be easily perpetrated by hackers who exploit the existing vulnerabilities in older versions to their benefit. Hackers have in their possession software that can crawl the website and trace systems or websites that are not adequately secured.”
The best way to protect yourself from these attacks is to establish processes that update applications as soon as updates become available, or to partner with an eCommerce solution that provides automatic updates or uses APIs.
Identify and Stop Fraudulent Purchases
With the right security measures in place, your brand doesn’t have to be a victim of identity theft. Smart DTC brands secure their checkouts, monitor consumer behavior and identify fraudulent purchases as they happen.
Secure Your Checkout and Comply With PCI SSC
Your store’s checkout is the frontline in the war with identity thieves, so it’s important to bolster its defenses. There are several things you can do at checkout to increase security, according to the team at Namecheap. Firstly, implement a CAPTCHA as this will stop virtually all bot attacks. Secondly, ensure you understand how to use the address verification system, which cross-references the billing address supplied by consumers with the address stored in the credit card system. Thirdly, and in compliance with the Payment Card Industry Security Standard Council (PCI), store CVV data separately from users’ credit card numbers.
Requiring CVV codes for all mobile transactions is one of the key parts of the PCI DSS guidelines, says the team at checkout experience platform Bolt. These are industry-standard best practices for storing and processing credit card information. It is essential to follow all of the guidelines, they write. Not only will this protect consumers during checkout, but it will also ensure that you can successfully challenge chargebacks from credit card providers.
Automatically Monitor Consumer Behavior
Ideally, you’ll want to identify potential instances of identity theft as soon as they reach your checkout. Brands can do this by keeping a close eye on user behavior.
Consumers typically order the same products, spend similar amounts and have orders shipped to the same addresses, writes Rachel Go, Content and Partnerships Marketing Manager at fulfillment solutions provider Deliverr. Fraud detection tools can be used to highlight any instances where consumers behave out of the ordinary, like spending significantly more than normal or having products shipped to a different state or country.
Indeed, a spike in spending is a good indicator that an account has been hacked, according to the Merchant Fraud Journal. Brands should also check that the bank associated with a purchase uses new Social Security Number verification tools. Established by the Economic Growth, Regulatory Relief and Consumer Protection Act, these tools allow banks to use social security data to legitimize credit card applications and make sure applicants are old enough to apply. In short, they significantly minimize the risk of fraudulent credit card use.
When potentially fraudulent purchases are detected, secure and sophisticated carts will cancel the order and initiate a refund. This gives time for the consumer to approve the transaction, which can then be reissued, or confirm that it is, in fact, a fraudulent purchase.
Partner with BaaS to Protect Data and Secure Payments
Brands can rarely implement all of these strategies on their own. It’s often necessary to turn to third-party advice and software to develop a solution.
Comprehensive protection is time-consuming and requires brands to have access to a level of consumer data they can’t get on their own, says Chargebacks 911 Founder Monica Eaton-Cardone. Leveraging technology and third-party help is essential for success. In particular, she recommends a combination of AI and multilayer authentication techniques to validate purchases and automatically identify threats, as well as assistance from financial institutions.
Kathryn Petralia, President and Co-Founder of financial services, data, and technology platform Kabbage, writes that partnering with a third-party service provider is the best way to protect data and prevent payment fraud. “From my own company’s experience building a payments systems for small businesses, I can encourage you to insist on point-to-point encryption to thwart hackers. Use tokens instead of passing cardholder data, and EMV or chip cards to protect your business against the risk of fraud.”
No one expects brands to be experts at identity theft; that’s partly the reason they are targets in the first place. It’s also why partnering with a Business-as-a-Solution provider that does understand fraud and has the means to prevent it is so important.