Balancing Fraud Prevention and User Friction at Shippo

At Shippo, user experience is always a top priority. “Customers For the Win” is one of our guiding principles. As our user base has grown, we have been facing some tough questions on how to keep user friction low while protecting ourselves from fraudsters. The balance between fraud prevention and user friction is different at every company and it changes as companies grow. We recently introduced Two-Factor Authentication, and while some users will love the extra security, others will be upset about the extra steps between them and their shipping labels. Getting this balance right is crucial. If our fraud prevention methods are hindering a great user experience, then we risk losing a user. If the methods are too lenient, then we are opening ourselves up to an attack. I am going to break down ways we think about fraud at Shippo and tools we use in our fight.

Account Takeover

Account Takeover (ATO) attacks happen when a bad actor gains access to a user’s account. We see ATO attacks often with users who have been dormant for a long period of time. After that, they start exhibiting erratic behavior, such as making many purchases in a short period of time. ATOs present an interesting challenge because password security and management across the web is difficult for most users. I know that I am guilty of sharing passwords across many sites — a security breach on any of them could expose my other accounts to a potential ATO attack. Identifying ATO attacks within a large user base is extremely challenging. We currently integrate with a third party service that trains a ML model with our user data to help spot anomalies. If the model flags a user, we place purchase restrictions on that account until they complete identity verification. Often times, a challenge can cause a good user to abandon the service. In these cases it is very difficult to reconcile whether the lost revenue from that user was worth the potential for fraud loss if it was indeed an account takeover.

Born Bad

Born bad accounts are new accounts created specifically for fraud. We have hundreds of new users signing up for our service each day — too many to manually analyze for fraud risk. For this, we use a different third party fraud prevention service. We send events to this platform in coordination with certain user events. With these events, the service is able to assign our users a risk score which we take into account when allowing users to perform actions in our system. Users with the highest risk scores need to go through our identity verification process or face other account restrictions until we can have greater confidence in their validity. The platform is also interesting because it allows us to group users by different event data points including IP address location, shipping address similarities, and many more. These are very helpful in cracking down on coordinated fraud attacks.

Fraud System: Past and Future

Now that we have an idea of what types of fraud we face, let’s talk about what it looks like in Shippo’s system. As our system has evolved we have added fraud logic at different touch points throughout our application. This decentralization makes it difficult to make changes and to update vendor integrations. Take a look at the diagram below as a simplified example of our system.

The signals from our frontend include information about device fingerprints, IP addresses, and more. On our backend we send events when users do different things in our application. With this system we are reliant on our third party tools for analyzing these events and we have to balance decisions made by these tools with internal decisions made within our backend. We are phasing in a different system design seen below. The three main benefits of the new design are:

1. Centralized fraud logic will make changes easier to manage
2. An internal event store will allow us to make better decisions and not have reliance on third-parties for our user data
3. Abstract vendor specific code from our base applications, will make our system less reliant on a particular vendor

We continuously evaluate our third-party tools and this system will streamline the integration process if we decide to incorporate a new fraud service. Another benefit of the new system will be improved dashboards, we continually monitor dashboards that show us data relevant to identifying fraudulent users. We often use our third-party tools in conjunction with our dashboards to categorize transactions into different fraud risk levels. These dashboards give us a high level view of how we are doing day-to-day and allow us to share this information with different stakeholders in the company.

Bringing it back to balancing user friction, our previous system was not flexible enough to respond to changes in our user needs. If we introduced a new fraud prevention measure that caused issues with our users, we have to redeploy the entire Shippo backend — losing time and potentially users. With a distinct internal fraud service we are able to make quick deployments and have better A/B testing capabilities. Our internal fraud store allows us to make more responsible, data-driven decisions for our users.

Wrap Up

Sometimes it can feel like a tightrope when walking the balance between fraud prevention and user experience. But who doesn’t love going to the circus! At Shippo, we know We Haven’t Won Yet, and we are waking up each day ready to face whatever new challenges may arise. If you want to join the good fight check out our jobs page!