Online marketplaces are where people are spending their money — be it for rideshares, Airbnb bookings, or to find their next date on the latest app — and these marketplaces have added over $1.7 trillion in consumer spending in 2019. Additionally, by some industry estimates, sales in online marketplaces may overtake first-party e-commerce channels by 2025.

But all this growth also has made digital marketplaces prime targets for online fraud attacks, with losses estimated at billions of dollars per year. A large portion of these losses are associated with identity-based fraud like new account fraud and account takeover. 

So how can businesses enhance their fraud prevention efforts in online marketplaces without sacrificing user experience?

In this post, we summarize highlights from a talk at the 2024 Marketplace Risk Conference, featuring ID.me’s Director of Fraud Risk Analytics Subra Thiagarajah and Fingerprint’s Sr. Developer Evangelist Keshia Rose. 

We’ll see how ID.me uses device intelligence to protect high-security accounts and also learn how layered security measures can be applied to defend marketplaces against account takeover attacks — all without compromising user experience. 

The growing threat of account takeover attacks

Account takeover (ATO) attacks are one of the most common and devastating types of fraud for both consumers and businesses, and it’s on the rise, with nearly 30% of U.S. adults reporting that they were victims of an ATO in 2023. 

For businesses, the financial impact can be substantial. According to IBM’s “Cost of a Data Breach Report 2024,” the average cost of one data breach involving stolen credentials is $4.62 million due to operational downtime, lost customers, and mitigation costs. 

One way to strengthen defenses against ATO attacks is to use legacy verification tools like multi-factor authentication or CAPTCHAs. But while those solutions can be more effective than just having passwords alone, they also create additional friction and a subpar experience for legitimate users, which businesses also want to avoid — and no wonder: Studies show that 58% of shoppers will abandon their transaction if they face difficulties during the login step, and 1 in 4 consumers will abandon a $100 cart if they’re required to reset their password at checkout. 

Additionally, traditional methods of recognizing returning visitors, like cookies or IP-based identification, often generate false positives due to the use of privacy browsers and VPNs, making it hard to differentiate between returning users and potential fraudsters. 

As a result, marketplaces are facing the very real challenge of shoring up their fraud defenses to protect against ATO attacks without causing unnecessary friction and frustration for their customers.

Where is ATO fraud going? 

As technology evolved and improved over time, fraudsters have done the same. For example, many scams now involve using generative AI (Gen AI) that can create very convincing messages to use in phishing emails and deepfakes to fool victims into thinking they’re talking to someone they know — all to trick people into giving up valuable information. Fraudsters also use Gen AI to quickly code and deploy malicious bots that can be used in credential stuffing or brute-force attacks.

Cybercriminals are also getting better at bypassing MFA requirements and writing scripts to pass CAPTCHAs. In order to detect potentially fraudulent activity more quickly, businesses need to implement new solutions like device intelligence, which collects numerous signals from a device and browser to identify site visitors.  

What does Fingerprint do? 

Fingerprint is designed to help detect and reduce the financial impact of ATO fraud. Fingerprint’s device intelligence platform is compliant with global privacy and data regulations, like GDPR and CCPA, and analyzes over 100 device and browser attributes to generate unique, highly accurate visitor identifiers that persist for months and years (unlike cookies, which can be blocked or easily deleted). 

Fingerprint’s proprietary Smart Signals collect user behavior, network, and device signals like VPN usage, browser tampering, and bot activity to help companies recognize and differentiate returning users from potential threats with industry-leading accuracy. If a visitor is flagged as suspicious, fraud teams can then decide whether to require additional authentication steps like MFA. 

What does ID.me do? 

ID.me is a U.S.-based digital identity verification platform that authenticates people’s identities online using government-issued IDs (like driver’s licenses and passports), paired with video selfies and sometimes biometric data. These requirements make it challenging for fraudsters to impersonate someone, even if said fraudsters possess stolen user credentials. 

Over 30 U.S. states and 16 federal agencies, including the Social Security Administration and the Internal Revenue Service, use ID.me to protect sensitive transactions and services. Additionally, 7 of the 30 states have publicly credited ID.me with helping prevent $273 billion in fraudulent and improper payments. The company has multiple cybersecurity certifications, including FedRamp, SOC 2 Type II, ISO 27001, Kantara IAL2/AAL2, and Kantara Classic. 

How ID.me and Fingerprint work together to prevent ATO fraud in marketplaces

To effectively prevent ATO fraud, ID.me combines its stringent identity verification processes with Fingerprint Identification and Smart Signals to provide another layer of verification.

For example, if a user falls for a phishing scam and shares their information, ID.me can detect an unauthorized login attempt from an unrecognized device and block the account takeover attempt.

ID.me also combines multiple signals with its fraud data to determine which indicators are most predictive of risk for their unique environment. These signals include VPN usage, timezone mismatches, browser tampering, and less obvious factors like installed fonts. For example, they observed that certain attacks came from users with specific language fonts installed, allowing them to use that as an extra indicator of suspicious activity.

By supplementing proof of government-issued IDs and video selfies with device and browser signals provided by Fingerprint, ID.me can be more confident in determining whether a login should be flagged as potentially suspicious and if it should trigger additional verification steps.

Protecting users and data: ID.me’s security needs in the AI era

For marketplaces that use ID.me as part of their login processes, it’s critical that ID.me is able to detect and prevent fraudsters from using stolen credentials to commit ATO fraud. At the same time, the company also needs to be able to accurately and quickly identify legitimate users when they log in and not create unnecessary friction — because, as we mentioned earlier, 58% of shoppers will abandon a transaction when they face login or verification issues. 

These two challenges are compounded by the fact that fraudsters are using new technologies like generative AI (Gen AI) to get better at committing online crimes. For example, from a social engineering standpoint, Gen AI can be used to very convincing landing pages and emails to trick people into entering their login credentials. This technology is also used to write scripts for bots that can be used for credential stuffing attacks, a common method used in successful ATO fraud.

In marketplaces, Fingerprint helps ID.me identify and differentiate between real humans trying to log in and automated login attempts. For example, ID.me uses Fingerprint’s Smart Signals to detect browser tampering, bots, and VPN usage, all of which could indicate intention to commit fraud. Based on the real-time signals provided by Fingerprint, ID.me’s team can then determine what steps they want to take next, whether it’s blocking a suspicious user or requiring additional authentication. 

Key takeaways: Balancing security and user experience with ID.me and Fingerprint

By partnering together, ID.me and Fingerprint help marketplaces provide personalized, streamlined processes to shoppers, resulting in less friction for trusted users and fewer abandoned transactions. 

With Fingerprint’s device intelligence platform, ID.me adds a layer of security to help detect and prevent successful account takeover attacks and their potentially financially devastating impacts. 

Want to learn more about preventing fraud in e-commerce? Check out this blog post.