Building a Safer Bot: Delight Customers Without Opening Your Brand to Cyberattacks
Posted July 5, 2017
This is the second in a three-part series about bots. Part one of this series looked at how a growing number of prominent brands are migrating to new digital identity-based authentication.
It’s no secret the bot revolution is picking up speed as a growing number of businesses look for new ways to connect with consumers through bot-driven promotions, conversational commerce and, especially, customer service.
Today, nearly 50 percent of senior marketing executives say they’re using, testing or planning to use bots. Among them:
- American Eagle Outfitter launched a playful commerce bot that doubled the average number of shoppers it typically acquires in a full month across all its social channels combined
- Wells Fargo’s new customer service bot enables customers to check balances and even reset passwords from Facebook Messenger.
- Nest’s bots automate consumer appliances such as your home thermostat for convenience and efficiency.
- GEICO’s new voice bot retrieves policy information and personal documents via mobile phone.
This strategy seems to be working. According to a recent survey, 65 percent of millennials in North America prefer interacting with bots rather than live customer service agents. Brands from Kayak to Taco Bell are using them to help customers buy everything from airline tickets to Cheesy Gordita Crunches.
While a cool user experience and compelling functionality are critically important for success in today’s digital economy, so is cybersecurity. Strategies that fail to put security front and center risk finding hackers gunning for your brand.
For every bot that might turn on your porch lights or settle an insurance claim, there are others aimed at reaping high profits for cybercriminals at any cost to you.
Some may engage in loan stacking — targeting online lenders by using stolen identities to apply for multiple, fraudulent loans at once. Others use stolen identity data to test login credentials on bank and retailer websites to take over customer accounts or to deliver ransomware and other malicious code.
Whatever their target, bots-as-a-service (BaaS) offerings that feature an easy-to-use web interface and cost roughly $20 to $30 a month enable virtually any malcontent to be a hacker.
Since many traditional business systems use basic static logins with a user id and password, they become essentially defenseless when user credentials are compromised. Using bots to automate login attempts are now astonishingly common. In fact, 80 percent of all online fraud attempts now involve bots.
It gets worse. On the more advanced end of the cybercrime spectrum, hackers are now targeting companies’ own brand bots to infiltrate their underlying infrastructure or application framework. So we have “bad” bots attacking “good” bots.
Even scarier are imposter bots that hijack or impersonate social media and customer service bots. Imagine a hijacked Twitter bot that posts negative information about other brands or individuals. Or a compromised travel aggregator bot that starts offering users incorrect flight information, pointing consumers to a certain airline—and away from yours. Or imposter bank brand bots that solicits account passwords from consumers, or sends them to fraudulent banking sites.
Suffice it to say, you don’t want to be the brand that sees its own bots bring down the business.
Turning Point in the Battle of the Bots
The nature of these threats dictates that smart authentication must be step one in your deployment strategy.
Smart authentication means having the ability to not only recognize a device, but also go beyond that to understand the associations between the credentials, device, location and behavioral history. It means checking for the presence of threats in an app or on a device that could compromise session details. And, it means performing this analysis in real time and using the very latest intelligence on threats, global bot attacks, and suspicious devices and IP addresses. All of this is what ThreatMetrix digital identity solutions are designed to do.
So, if you’re going to launch brand bots, you want to optimize their success by arming your systems with the ability to identify good users and activities from bad without simply making logins more onerous or injecting more friction to the experience.
In part three, we’ll give you an action plan for getting started on strategizing your organization’s bot initiatives and protecting against fraud and user friction. If you can’t wait, you can read this exclusive solution brief on securing your brand against bot attacks of every kind.
Here’s hoping we can all make the most of our brand bots, while fighting back against bad bots.