Balancing Fraud Prevention and User Friction at Shippo

Account Takeover

Account Takeover (ATO) attacks happen when a bad actor gains access to a user’s account. We see ATO attacks often with users who have been dormant for a long period of time. After that, they start exhibiting erratic behavior, such as making many purchases in a short period of time. ATOs present an interesting challenge because password security and management across the web is difficult for most users. I know that I am guilty of sharing passwords across many sites — a security breach on any of them could expose my other accounts to a potential ATO attack. Identifying ATO attacks within a large user base is extremely challenging. We currently integrate with a third party service that trains a ML model with our user data to help spot anomalies. If the model flags a user, we place purchase restrictions on that account until they complete identity verification. Often times, a challenge can cause a good user to abandon the service. In these cases it is very difficult to reconcile whether the lost revenue from that user was worth the potential for fraud loss if it was indeed an account takeover.

Born Bad

Fraud System: Past and Future

Now that we have an idea of what types of fraud we face, let’s talk about what it looks like in Shippo’s system. As our system has evolved we have added fraud logic at different touch points throughout our application. This decentralization makes it difficult to make changes and to update vendor integrations. Take a look at the diagram below as a simplified example of our system.

Fraud Integrated Throughout Shippo Ecosystem
  1. Centralized fraud logic will make changes easier to manage
  2. An internal event store will allow us to make better decisions and not have reliance on third-parties for our user data
  3. Abstract vendor specific code from our base applications, will make our system less reliant on a particular vendor
Centralized Internal Fraud Service

Wrap Up

Sometimes it can feel like a tightrope when walking the balance between fraud prevention and user experience. But who doesn’t love going to the circus! At Shippo, we know We Haven’t Won Yet, and we are waking up each day ready to face whatever new challenges may arise. If you want to join the good fight check out our jobs page!



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store