Customer Authentication Tips for Safer Holiday Shopping

The holiday shopping season represents a major chunk of annual revenue for retailers in virtually every sector. Per the National Retail Federation, sales grew over 14% to nearly $900 billion in November and December 2021; if they grow at the same rate this year, holiday retail sales will top $1 trillion in 2022. The holiday spirit, fueled by the rush to catch Black Friday bargains, has everyone spending, and $226 billion of these sales are happening online.

‘Tis the Season for Hacking

While it's a great season for retailers, it's also a cash-in season for hackers who take advantage of the hype. Their scams include fraudulent giveaways that harvest user details, fake firms that never supply goods or formjackers and card skimmers that insert malicious code into e-commerce sites. However, phishing, an old cybercriminal favorite, will still be the most prominent attack this holiday season. 

Phishing, especially with the exceptional rise in cheap and easy-to-use phishing-as-a-service kits, will disrupt plans, cost money and generally try to ruin the holidays for retailers and consumers alike. A typical attack sees the victim opening an email impersonating a trusted retailer, like Amazon. The email looks legitimate, except the link provided within it leads to a spoofed site where the attacker can steal the user's login details and hijack their account. 

Why you Need Better Customer Authentication

Consumers are growing more aware of the dangers of online shopping. A recent survey by TransUnion found that the majority (54%) are concerned about being victimized by fraud this holiday season — up 17% from 2021. Confidence in the security of a retailer’s customer authentication processes directly affects consumers’ willingness to do business with them. The same survey reported a 40% increase in consumers stating that they would abandon a purchase due to lack of sufficient security. 

For retailers, providing more secure customer authentication isn’t just about allaying consumers’ fears, it’s about protecting their own business. A successful phishing attack on a customer can mean lost income due to redirected purchases and fraudulent orders, reputation damage and potential fines, among other consequences.

Friction Breeds Fickleness

Cyberattacks aren’t the only authentication-related threat for retailers. While shopping online avoids the hassle of long lines and parking difficulties, it often adds to customer frustration when it comes to checking out. This directly translates into lost sales for digital merchants. Nearly 20% of online shoppers abandon their carts because they forgot their password. This chimes with other research that cites overly long checkout processes (18%) and not wanting to create another online account (18%) as reasons why visitors leave sites without completing a purchase.

It only gets worse when trying to add protection layers in the form of SMS or email OTP codes. Besides their dubious security benefits, OTPs add a layer of friction and another potential point of failure. If a retailer wants to ensure secure customer authentication, there's a fine line between building a protective wall and becoming too much of an obstacle for customers.

Four Tips to Secure Customer Authentication

1. Going passwordless: It might seem obvious, but the best thing you can do to stop attackers in search of passwords is to remove them from the equation. A strong, phishing-resistant MFA system uses several processes to verify a user's identity and log them in securely without forcing the user to remember a unique password. 
2. Security with convenience: As we've mentioned, the friction around logging into an account or securely verifying identity before a purchase can be too frustrating for some customers, leading them to abandon their carts. Therefore, any secure customer authentication system must also be convenient for the consumer, or it will cost  you money in lost sales.
3. Context-based security: A lot of information is created by a user, apart from their login credentials, which can help determine if they’re real. Their IP address, how they navigate a page, their device and even their typing speed can all be used to verify their identity. Filtering this information through AI algorithms can also help your security team identify attackers and limit privileges on an account until further authentication challenges are passed.
4. Inform your users: While nobody wants their retail experience overloaded with security information, it's important to let your customers know what's happening and why. Secure customer authentication also needs buy-in from the end user, so easily accessible information on the risks and how you solve them can ease that process. 

Keep Your Customers Securely Shopping With HYPR

The holiday season is the most important time of the year for retailers — and cybercriminals. There are several scams, but phishing and subsequent account takeover (ATO) or stealing card details are the most prevalent. This can have major consequences for retailers; however, secure customer authentication that's too overbearing will also turn customers off and cause them to abandon their carts.

The solution must be secure and remove passwords, yet it should be simple and smooth for the customer. HYPR's FIDO-based system leverages biometric identifiers (inherence) on a customer's smartphone (possession), creating a phishing-resistant, passwordless MFA flow that decreases login friction for customers. In addition, our mobile and web SDKs are geared towards flexible, easy deployment so that you can immediately remove passwords from your customer experience.

Schedule a demo to find out how HYPR can deliver CIAM security solutions that meets PSD2 Strong Customer Authentication (SCA) and other regulatory requirements, while improving the user experience.