FARFETCH - Account Security Vulnerabilities

Website

https://www.farfetch.com

Project Info

Project:
FARFETCH - Account Security Vulnerabilities
Date:
2022
Who they are:
Farfetch is a British-Portuguese online luxury fashion retail platform that sells products from over 700 boutiques and brands globally.
Problem:
The accounts of 13,392 FARFETCH users were compromised in April 2022 alone, almost doubling from 7,043 users in March 2022. As a result, many loyal VIPs and regular FARFETCH customers have lost money, and also lost trust in the FARFETCH brand. How might we better protect our users so they can take quicker action on their account details being compromised?
Objective:
We want to alert users as early as possible when their account details have been compromised, so customers feel safe and continue shopping with FARFETCH.
Research methods:
Desk research, Data analysis
Tools:
Figma, Castle.io, NN Group, Baymard audit

Set project goals

Thanks to insights from the FARFETCH security team, it was revealed that "account stuffing" was the main cause of customer account hacking- when a hacker robotically enters a password and email pair into numerous websites.

To prevent this from happening to FARFETCH users, the security team asked design (AKA me) to explore the following: 

1. Providing awareness to users that changes have been made to their personal data

2. Providing awareness to users of irregular logins

3. Providing users with the ability to act quickly if these actions were not taken by them

Evaluate current experience

Considering that changes in personal details are one of the first signs of an account being "stuffed", I wanted to understand what happens presently when a user's personal details are changed in accounts for the top-players in account security (Apple, Google, Facebook) vs. our experience at FARFETCH.

Gathering benchmark research 🗺️

To begin my desk research, I created new accounts on Facebook, Google and Apple. With each new account, I focused on three aspects of online account ownership:

1. creating the account

2. managing the account

3. dealing with irregular activity

In doing this, I would be able to pinpoint which tactics are most appropriate at what points in the user's journey. After creating accounts, exploring the settings, and triggering activity warnings, I grouped the most common security tactics used, and provided examples.

Creating account 🐣

Managing account 🔧

Irregular account activity 😲

Looking at the FARFETCH experience 👁️

Now that I had a better understanding of what the top-players were doing, I wanted to test what FARFETCH is doing now. How many of these tactics are we using? What could we try? 

Creating account 🐣

When a new user creates an account on FARFETCH, they are reminded of what makes a quality password. If the user does not meet this criteria, they are not allowed to proceed with registering for an account.

After the user registers, they receive a "welcome" email from FARFETCH. However, this email does not contain any information on account security.

When a user signs up, they can also use social networks, or save their password in a keychain on their browser. This

allows the user to create an account without a password (and rely on the security of Google, Apple or Facebook) or

their browser.

Opportunities: 

1. email verification of account? (Google, Facebook, Apple)

2. adding an educational component to the welcome campaign? (similar to Google, Apple)

3. encouraging more users to log-in with social networks? 

Managing account 🔧

When a user lands on the FARFETCH homepage, it appears that they are logged in. When they go to view their account, however, they are invited to input their details again.

When a user wants to change their password, or details such as their name or phone number, the user must insert their password again to confirm.

While these tactics exist for security purposes, and are present in experiences such as Apple account settings, if a hacker already has the password and email of the user, these changes can be made quite easily without the user being aware - and account stuffing log-ins can still happen.

Opportunities: 

1. Confirming with the user when changes are made in their account (Google, Facebook, Apple)

Irregular account activity 😲

When a user makes an order, they can view the status of their order in the "my account" area. Additionally, the user receives emails confirming their purchase and the ability to track it. While it is not obvious during the order flow, the user can also opt-in for push notifications updating them on their order.

If a user wants to contact customer service (whether its about their order, or changes to their account), doing so is a lengthy journey. First, the user must select "Need help", then go through a lot of options until they reach a contact form. After filling out this contact form, the user sees a message that does not give a clear timeframe as to when they will hear back. Under the circumstance of an account being hacked, this lack of urgency could be a cause for concern.

Opportunities: 

1. Making it quick and easy for a user to take action (Google, Facebook, Apple notifications allow user to define irregular activity instantly)

Key takeaways: 

1. FARFETCH uses standard security measures such as: password criteria, password to confirm changes, order confirmation and status, and the ability to contact customer service

2. However, FARFETCH does not notify the user of account activity outside their order status. As a result, the user is notified too late in the journey when their account is compromised.

User journeys... 🛣️

After comparing the FARFETCH experience to the security standard of Google, Apple and Facebook, and realizing that unlike these platforms, we don't notify the user early enough about irregular activity, I wanted to better understand...

how we might catch irregular activity as early as possible?

From speaking to the security team about the typical account stuffing journey on FARFETCH, I devised two basic flows: one for the hacker, and one for the FF account holder.

Hacker 👿

User 🧑

Bringing the information together 🤗

Through comparing the FARFETCH account security experience against the top-players, then mapping out the journeys of the "account hacker" vs. the "FARFETCH user" , I wanted to zoom in again on the problem, then identify which tactics I would propose to engineering that would make the most sense for FARFETCH, but also stop the hacker in their tracks as early in the journey as possible.

Additional Verification ✅

While 2FA is the most common method for stopping account stuffing hackers, and would stop them at the beginning of the journey, I was curious if we could achieve this, given how often FARFETCH logs out users from their accounts.

When discussed with engineering & product... 🗣️

In order to implement 2FA, other issues would need to be fixed within the experience, and it would take the team longer to develop than the timeframe available for the first version of this initiative.

Verdict? 🧑⚖️

Save 2FA for a phase 2 iteration once foundational issues are fixed.

Password Alternatives 🔒

Since the root issue of account stuffing is the overuse of one password, I was curious about exploring a passwordless FARFETCH, or further emphasizing social login.

When discussed with engineering & product... 🗣️

Other high-priority initiatives on login modal would be impacted by emphasizing social login, or removing passwords. Would need to be in the roadmap for 2023.

Verdict? 🧑⚖️

Add to roadmap, but further down the line.

Warning of activity ⚠️ (recommended solution) 

From observing the user journeys and top-class experiences, we realized that the user is not warned of irregular activity in the FARFETCH experience. Through warning the user (as we do with order update emails and notifications), they can act more quickly on fraudulent activities.

When discussed with engineering & product... 🗣️

Since we update users about things such as changing address on existing orders, order status etc. FARFETCH already has the technical infrastructure in place for this sort of messaging.

Verdict? 🧑⚖️

This idea is feasible, but needs to be considered within the larger context of our email campaign ecosystem to ensure that users see the message. Additionally, our China users do not use email, so we would need to consider SMS in this case.

Educating users 👩🏫 (recommended bonus solution) 

While we educate users on what makes a quality password upon signup, we don't make it easy for them to take action, or to know what to do when their account is hacked. Since our competitors clearly educate the user within the right moments on account security, it is important we do the same in our messaging.

When discussed with engineering & product... 🗣️

We can easily integrate this messaging into notifications of irregular activity, so the user is empowered with information (rather than alarmed).

Design process

Once we landed on the solution of notification emails, I went to our design system and transactional communication email templates to better understand how we communicate with the user now. Additionally, I also looked at further competitor email templates for inspiration.

More inspiration 📧

Which lead to these emails (with existing DS modules) 📧

With a user journey that considers the urgency of the situation... ☠️

Triggered at just the right moment for iOS... 📱

And Android... 👽

And a basic outline of SMS for our China audience...

How I achieved my goals

✅ Gained understanding of how we aligned (and did not align) with account security best practice

✅ Suggested solutions feasible for both short-term and longer-term

✅ Landed on a solution that is feasible, fills in the main security gap

Next steps

What do we do now? ❓

✔️ User testing copy variants

✔️ Account confirmation via email

✔️ Exploring security push notifications

✔️ Deep-dive into password alternatives

Impact ✈️

While this work is currently in development, it's impact upon users will be substantial (it will apply to all user segments in all countries)..

*On average 96,212 FARFETCH users experience their account being hacked annually

*Annually, FARFETCH has 3.2 million active users

*FARFETCH operates in 190 countries globally

*In July 2022, 7,465 users experienced their account being hacked

Through notifying these users across the globe of irregular activity on their accounts, FARFETCH can save potential future costs (both monetarily and reputation-wise)...

*Fraudulent orders made as a result of account hacking

*Time of customer service agents handling these queries

*Disgruntled users who no longer trust FARFETCH

*In July 2022, 7,465 users experienced their account being hacked

Want to learn more?

Contact