Q&A: Ephraim Rinsky, Product Marketing Manager, Riskified
Ephraim Rinsky is a Product Marketing Manager at Riskified, working in the Customer Trust domain. He works with some of the world’s largest online merchants to protect their online stores safe from fraudsters and policy abusers.
Can you tell us a bit about your background?
I’m a Product Marketing Manager at Riskified – focusing on our ATO (Account Takeover) Prevention product. I’ve been at Riskified for four years. My background is in statistics and economics.
What does your company do?
Riskified was founded in 2012 – introducing the ‘chargeback guarantee’ to the fraud prevention market. In the time since then, we’ve branched out into other product areas which complement our core offering, including ATO prevention.
In 20 seconds, how does your ATO prevention product work?
When a user tries to log in to a customer’s store account, we make a decision about the risk of this being an ATO attempt. We either allow the user to proceed, deny the login attempt (only in extreme cases), or request that the user verify their identity.
What’s special about your approach?
In a nutshell – the fact that we had already invested years in building a world-class solution to stop CNP fraud, gave our ATO product an enormous boost. Why? Two main reasons:
- We know what ATOs look like, because we’ve seen millions of them already at checkout. We have enough data now for our models to recognize malicious login attempts, even those that look completely legitimate to the human eye.
- We already have a robust merchant network. By this point, when a new customer comes to one of our merchants, we’re able to recognize the vast majority of customers. Usually between 80-90%
How does a product/service implementation actually look like and how do you measure success?
So every time a user tries to login to your site, we determine the likelihood that it’s an ATO attempt, and give you that allow/verify/deny response. In the case of verify – we can actually send that email or SMS ourselves. I’m talking about the kind of email that asks the account holder if it was really them that just tried to access their account.
Success is about finding the perfect balance between customer experience and security. Stopping as many ATOs as possible, while minimizing the number of good customers that we ask to verify their identity.
How are retailers using your systems to gain competitive advantage and what does best practice look like? Can you share a case study with us?
A major fashion retailer in North America that we work with recently was targeted by a huge ATO ring. (I don’t want to share the merchant’s name, out of privacy concerns). Frankly, if they hadn’t been using our ATO product, the fallout could have been disastrous. Thousands of customers could have logged in to find their loyalty points were missing, or fraudsters had made purchases with their stored credit cards (Card on file). We were able to flag the vast majority of these malicious login attempts, so the whole thing ended up being basically a non-event.
Are there other companies you partner with?
Yep! We’re live with a bunch of our merchants who are already using our Chargeback Guarantee product – and have a dozen more integrating, planning to go lige any day now.
What challenges and do you see in UK retail for 2021 / What challenges are retailers facing in 2020?
Great question! So this is a threat both to online retailers in the UK, and worldwide… Fraudsters are opportunists, and we have seen them take advantage of changing trends during Covid. One thing is credential phishing – with people spending more time in front of their computers, in a general state of fear, fraudsters are having an easy time tricking shoppers into handing over the credentials to their online store accounts. A customer might receive an phony email claiming to be from a merchant, warning them of a threat to their account security – the customer is then directed to a mock up of the merchant’s login page, where they inadvertently hand their credentials to a fraudster, who can then use them for an ATO attack. Once a fraudster is logged into a good customer’s account, it’s much more difficult for the merchant to identify and decline their order at checkout.
How will you address these challenges and turn them into successes?
Well – if you’re handling the ATO threat well, and your competitors aren’t, you have a huge leg up. With all these data breaches, and credential phishing, it’s critical that merchants are protecting their customer’s accounts. Of course, merchants don’t want to do this at the cost of friction – for instance requiring every customer to go through TFA every time they try to login. The key is selective friction; requesting identity verification in cases of elevated risk. When a user tries to log in to their account, all data about their device, location, and so on, should be cross-checked against their previous site behavior. Only when something is anomalous should friction be introduced.
Where can we learn more?
Riskified conducted a survey of 4,000 customers, and 425 merchants to get their views on account security. You can read all of our findings, and learn about how to protect your store here.