Does Bot Management Strengthen Customer Loyalty and Engagement?

Netacea believes organizations must protect user accounts from attackers by enforcing stronger identity verification measures, but without eroding trust with their customers by over-burdening them with these processes – or else they risk pushing customers away to competitors.

Fighting back against account takeover

“New-account fraud and account takeover are the largest areas of liability for many organizations across such diverse industry sectors as government, insurance, banking and retail”, according to the Gartner ® report.

The Gartner analysts go on to say that “while bad bots have long been recognized as problematic if left unrestrained, recent evidence has shown that they are well organized and are largely driven by the goal of monetary gain.”

Our own threat research confirms that automated bots take advantage of widespread poor password hygiene and persistent data leaks to launch account takeover attacks with increasing velocity and sophistication.

For accounts of significant value, organizations can’t trust usernames and passwords as sufficient forms of authentication because they’re easily stolen and validated by armies of credential stuffing bots.

If passwords are dead, what will replace them?

Businesses have battled against these threats by trying to lock attackers out with elaborate methods of validating user identity. Here are examples and how they stack up against username and password for strength and convenience.

Username and password

Strength: 1/5

Millions of passwords are leaked online every year (and you can check if yours are compromised on haveibeenpwned.com).

“Numerous reports indicate that 60% to 70% of users use the same username and password to access more than one online account.” This statistic, along with the widespread availability of simple-to-use credential stuffing tools, makes such attacks easy and common.

Convenience: 4/5

Everyone is used to relying on passwords. Although we have a lot of passwords to remember, most browsers automatically save passwords and enter them for us. Password managers can also help remove friction from using passwords.

Knowledge-based authentication

Strength: 2/5

Knowledge-based authentication (KBA) relies on what only the individual user knows, for example static information (mother’s maiden name) or dynamic information (the last thing you bought with your credit card). However, these answers are susceptible to social engineering and phishing attacks through spoofed communications, or brute force cracking by guessing common answers using automation.

Convenience: 4/5

Answers to knowledge-based verification are easier to remember than passwords, but recalling specific answers can still cause frustration.

One-time passwords

Strength: 2/5

One-time passwords (OTPs) might seem more secure due to their temporary nature, yet they can be exposed to attackers via phishing emails, or man-in-the-middle attacks where users are tricked into entering them on fake websites.

Convenience: 3/5

Having nothing to remember does add a degree of convenience to OTP authentication, but it also adds another step to the login process that could frustrate.

It’s clear all these methods have drawbacks in either strength or convenience, which is why in ‘Don’t Treat Your Customer Like a Criminal’, the Gartner analysts suggest the future of identity and access management (IAM) is the use of passive behavioral biometrics – “Focus on building an understanding of the individual and peer group behavior of legitimate customers.”

Bot management as part of behavioral biometrics

Netacea uses an innovative machine learning method called Intent Clustering to group together users based on behavior. These clusters are created, grow, shrink, change, and even disappear dynamically. Netacea’s expert bot team examines these clusters to determine which are malicious, and block users exhibiting this behavior in the background.

Bot management technology discreetly filters out fraudsters before they can access compromised accounts. This frees customers from the burden of proving their identity, making their lives easier.

Early intervention and behavior-based threat detection can also prevent the costliest attacks. For example, according to the BLADE framework the first stage of any account takeover attack is to test stolen or cracked credentials on the target website. This requires specific automated behaviors, allowing bot management solutions to stop bot attacks early, before they become a bigger problem.

Gartner, Don’t Treat Your Customer Like a Criminal, By Tricia Phillips, Jonathan Care, Akif Khan, 1 July 2021

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.