Thanks to insights from the FARFETCH security team, it was revealed that "account stuffing" was the main cause of customer account hacking- when a hacker robotically enters a password and email pair into numerous websites.
To prevent this from happening to FARFETCH users, the security team asked design (AKA me) to explore the following:
1. Providing awareness to users that changes have been made to their personal data
2. Providing awareness to users of irregular logins
3. Providing users with the ability to act quickly if these actions were not taken by them
Considering that changes in personal details are one of the first signs of an account being "stuffed", I wanted to understand what happens presently when a user's personal details are changed in accounts for the top-players in account security (Apple, Google, Facebook) vs. our experience at FARFETCH.
To begin my desk research, I created new accounts on Facebook, Google and Apple. With each new account, I focused on three aspects of online account ownership:
1. creating the account
2. managing the account
3. dealing with irregular activity
In doing this, I would be able to pinpoint which tactics are most appropriate at what points in the user's journey. After creating accounts, exploring the settings, and triggering activity warnings, I grouped the most common security tactics used, and provided examples.
Now that I had a better understanding of what the top-players were doing, I wanted to test what FARFETCH is doing now. How many of these tactics are we using? What could we try?
When a new user creates an account on FARFETCH, they are reminded of what makes a quality password. If the user does not meet this criteria, they are not allowed to proceed with registering for an account.
After the user registers, they receive a "welcome" email from FARFETCH. However, this email does not contain any information on account security.
When a user signs up, they can also use social networks, or save their password in a keychain on their browser. This
allows the user to create an account without a password (and rely on the security of Google, Apple or Facebook) or
their browser.
Opportunities:
1. email verification of account? (Google, Facebook, Apple)
2. adding an educational component to the welcome campaign? (similar to Google, Apple)
3. encouraging more users to log-in with social networks?
When a user lands on the FARFETCH homepage, it appears that they are logged in. When they go to view their account, however, they are invited to input their details again.
When a user wants to change their password, or details such as their name or phone number, the user must insert their password again to confirm.
While these tactics exist for security purposes, and are present in experiences such as Apple account settings, if a hacker already has the password and email of the user, these changes can be made quite easily without the user being aware - and account stuffing log-ins can still happen.
Opportunities:
1. Confirming with the user when changes are made in their account (Google, Facebook, Apple)
When a user makes an order, they can view the status of their order in the "my account" area. Additionally, the user receives emails confirming their purchase and the ability to track it. While it is not obvious during the order flow, the user can also opt-in for push notifications updating them on their order.
If a user wants to contact customer service (whether its about their order, or changes to their account), doing so is a lengthy journey. First, the user must select "Need help", then go through a lot of options until they reach a contact form. After filling out this contact form, the user sees a message that does not give a clear timeframe as to when they will hear back. Under the circumstance of an account being hacked, this lack of urgency could be a cause for concern.
Opportunities:
1. Making it quick and easy for a user to take action (Google, Facebook, Apple notifications allow user to define irregular activity instantly)
Key takeaways:
1. FARFETCH uses standard security measures such as: password criteria, password to confirm changes, order confirmation and status, and the ability to contact customer service
2. However, FARFETCH does not notify the user of account activity outside their order status. As a result, the user is notified too late in the journey when their account is compromised.
After comparing the FARFETCH experience to the security standard of Google, Apple and Facebook, and realizing that unlike these platforms, we don't notify the user early enough about irregular activity, I wanted to better understand...
how we might catch irregular activity as early as possible?
From speaking to the security team about the typical account stuffing journey on FARFETCH, I devised two basic flows: one for the hacker, and one for the FF account holder.
Through comparing the FARFETCH account security experience against the top-players, then mapping out the journeys of the "account hacker" vs. the "FARFETCH user" , I wanted to zoom in again on the problem, then identify which tactics I would propose to engineering that would make the most sense for FARFETCH, but also stop the hacker in their tracks as early in the journey as possible.
While 2FA is the most common method for stopping account stuffing hackers, and would stop them at the beginning of the journey, I was curious if we could achieve this, given how often FARFETCH logs out users from their accounts.
When discussed with engineering & product... 🗣️
In order to implement 2FA, other issues would need to be fixed within the experience, and it would take the team longer to develop than the timeframe available for the first version of this initiative.
Verdict? 🧑⚖️
Save 2FA for a phase 2 iteration once foundational issues are fixed.
Since the root issue of account stuffing is the overuse of one password, I was curious about exploring a passwordless FARFETCH, or further emphasizing social login.
When discussed with engineering & product... 🗣️
Other high-priority initiatives on login modal would be impacted by emphasizing social login, or removing passwords. Would need to be in the roadmap for 2023.
Verdict? 🧑⚖️
Add to roadmap, but further down the line.
From observing the user journeys and top-class experiences, we realized that the user is not warned of irregular activity in the FARFETCH experience. Through warning the user (as we do with order update emails and notifications), they can act more quickly on fraudulent activities.
When discussed with engineering & product... 🗣️
Since we update users about things such as changing address on existing orders, order status etc. FARFETCH already has the technical infrastructure in place for this sort of messaging.
Verdict? 🧑⚖️
This idea is feasible, but needs to be considered within the larger context of our email campaign ecosystem to ensure that users see the message. Additionally, our China users do not use email, so we would need to consider SMS in this case.
While we educate users on what makes a quality password upon signup, we don't make it easy for them to take action, or to know what to do when their account is hacked. Since our competitors clearly educate the user within the right moments on account security, it is important we do the same in our messaging.
When discussed with engineering & product... 🗣️
We can easily integrate this messaging into notifications of irregular activity, so the user is empowered with information (rather than alarmed).
Once we landed on the solution of notification emails, I went to our design system and transactional communication email templates to better understand how we communicate with the user now. Additionally, I also looked at further competitor email templates for inspiration.
✅ Gained understanding of how we aligned (and did not align) with account security best practice
✅ Suggested solutions feasible for both short-term and longer-term
✅ Landed on a solution that is feasible, fills in the main security gap
✔️ User testing copy variants
✔️ Account confirmation via email
✔️ Exploring security push notifications
✔️ Deep-dive into password alternatives
While this work is currently in development, it's impact upon users will be substantial (it will apply to all user segments in all countries)..
*On average 96,212 FARFETCH users experience their account being hacked annually
*Annually, FARFETCH has 3.2 million active users
*FARFETCH operates in 190 countries globally
*In July 2022, 7,465 users experienced their account being hacked
Through notifying these users across the globe of irregular activity on their accounts, FARFETCH can save potential future costs (both monetarily and reputation-wise)...
*Fraudulent orders made as a result of account hacking
*Time of customer service agents handling these queries
*Disgruntled users who no longer trust FARFETCH
*In July 2022, 7,465 users experienced their account being hacked