I Am An Account Takeover Victim: How This Company Could Have Kept My Loyalty

How an organization handles an Account Takeover can have a significant impact on consumer trust and retention. Recently I became a victim and the response has made me re-think about my loyalty to this brand. Here’s what happened:

“Email address/account does not exist.”

I enter my username and password again and receive the same message. I try password reset and get the same message again.

I have been a customer of this well-known athletic apparel retailer for close to 10 years. What. Is. Going. On?

As someone who works in IT Security, my spidey senses immediately made me think: my account has been compromised. Unfortunately my experience in working with this retailer to help identify and resolve my problem was a 4 day challenge only driven by my tenacity to figure out what happened and to ensure my account was secure.

The Good News?

The security team prevented a malicious actor from taking action after they breached my account and blocked a fraudulent transaction. They also blocked them future access to my account. And to that I give them a big thanks! They had enough tools in their security stack to prevent my account from being abused.

So, you might think the story ends there. But, my experience exposed that they didn’t have a playbook or the tools to properly handle consumer security concerns across a variety of company support teams. It took over 3 hours on the phone, with 4 departments, and 4 days to find out what happened to my account.

Also it turned out that my they knew my account had been breached 2 months prior yet I was never informed. When your business depends on the trust and loyalty of your customers, this type of problem can negatively impact customer experience and could lead to losing customers and therefore the bottom line.

Given the cybersecurity talent shortage, I don’t think this retailer is alone. Most security teams I have worked with are busy blocking and tackling so there are gaps in the process.

The Bad News

In looking back at this incident, here are the 4 areas where they needed improvement in security response and process:

  • No priority queue for account takeover or other security issues online or on the phone
  • Customer service not trained on how to respond or escalate potential customer security issues
  • Unable to prevent the account takeover
  • No communication informing me my account was compromised or how to recover my account

Why is all this important? Because according to recent research poor customer service costs companies $75B dollars per year and around the globe, 61% of consumers say they stopped doing business with a brand because of poor customer service.

With this retailer, while I can be more empathetic and understand how all of these stumbles happened (because I work in the security industry), I’m not sure most consumers will be as sympathetic.

Trust and Security Go Hand in Hand

Once trust is broken, it can be impossible to regain. Clearly no company WANTS their users’ accounts to be compromised. Today there are technologies out there that support a better experience and response to your end users when an account takeover happens. Here are a few ideas on how this retailer, and other companies who have online consumers, could better address both customer service and preventing credential compromise with both process and technology.

Customer Communications

  1. Trust Your Customers – Provide a Security Hotline
    Trust goes both ways. If a customer is calling (or chatting, or emailing) to tell you they think there is a security issue with their account, assume there is and give them a path for help. Customer service should be trained to be able to help customers get the support they need right away.
  2. Deliver Proactive Communications to Customers
    If the company knows a customer’s account has been compromised, provide timely and clear communications. Tell them exactly what happened to their account and how/when they were exposed. Today there are solutions available [you can learn more about how Castle does that here] that can automate this process and share with the customer what happened including what type of suspicious device, IP/location attempted to log into an account, what a company has done to respond to an incident and even actively engaging with the customer to authenticate the login before allowing access. Proactively reaching out to them and providing options for account recovery helps build trust and stronger security. Compliance requirements are now coming into play here for many companies.

Reevaluate Your Security Technology To Prevent Account Takeover

Here are 3 things to look for:

  1. Understand Users, Behavior and Risk
    Understanding just basic customer login information is not enough. Nor is relying on Captcha solutions which can start to frustrate your users and cause more friction.  To protect your users, it’s important to understand each user’s identity, what their behavioral norms are, which devices they use and what they do both before and after login so that you can better understand risk. This data is critical in order to help you identify threats, risks and anomalies within a user’s account and help you with providing a better response and experience for your customers
  2. Detection
    When evaluating detection solutions, having the ability to detect between malicious automated bot attacks, human attacks, anomalous activity and user error is critical in order to determine the proper response to the attack. Also, determine if you need to be client less. Client-side fingerprinting can collect device properties and biometrics but and server-side fingerprinting can enable you to go clientless to protect user services with a back-end integration that can analyze context of login request in real-time. Some of the key things you want to be able to detect:
  • Abnormalities and spikes in all of your applications’ key events (logins, profile updates, transactions and more)
  • Botnet and credential stuffing attacks in real-time
  • Anomalous Activity (or activity that falls outside a user’s norm) such as fast travel patterns, new device activity, access from new region, or multiple users per device.
  1. Response and Recovery Process
    Detection alone is not enough to protect customers. Being able to respond in real-time based on risk is a critical component and one that can reduce the manual burden during the recovery process. When evaluating solutions to help with detecting and responding to possible account attacks, having the ability to identify between a real attack, anomalous activity and legitimate use is critical. You want to be able to discover and block malicious attacks but for anomalous activity you should have the ability to enable adaptive authentication workflows or other low-friction notifications that alert an end user to unusual activity on their account so that they can take action and be a part of the process to help protect their account.

Taking customer’s IT Security concerns seriously is extremely important. Customers put trust in the companies they do business with to protect their account information. And if you’re not taking it seriously, it can have a huge impact on the business both in terms of your customer’s experience and retention as well as protecting the organization from a security breach.  To protect your customer’s accounts from an account takeover, regularly evaluate your detection and response processes. Automating the recovery process can help overburdened security teams sleep easier and eliminate false lockouts, support queues and angry tweets from customers.