Why the growth of e-commerce in 2026 depends on the invisibility of security

Today's consumers research, compare, pay, and receive, constantly moving between physical and digital channels, covering categories that were previously exclusive to brick-and-mortar retail. With the consolidation of instant payment methods, such as Pix, the time interval between the intention to purchase and the completion of the transaction has been reduced to a few seconds.

This acceleration has optimized efficiency and convenience, but has drastically restricted the window available for risk processing. Consequently, operations within decision engines, such as anti-fraud models, have become more sensitive and faster, since the final outcome of the transaction is often immediate and irreversible.

In practice, this scenario exposes a recurring operational dilemma: blocking too much increases false positives, frustration, and abandonment; blocking too little increases financial losses and reputational risk. 

Digital security, therefore, is no longer an isolated issue and now directly impacts customer experience, revenue, and trust—three key variables for sustainable growth in the sector.

This dilemma intensifies as the digital channel consolidates its dominance. Data from Serasa Experian (2026) indicates that Brazilian retailers recorded one attempted fraud every two minutes in 2025, representing a 4.1% increase over the previous year.

Similarly, Veriff's Veriff's Identity Fraud Report 2026warns that threats to digital businesses continue to grow, driven by the sophistication of attacks generated by automated technologies. 

In Brazil, the situation is critical: a survey published by Inforchannel indicates that the use of deepfakes in fraud attempts grew by 126% in 2025, with the country accounting for 39% of such occurrences in Latin America.

Given this scenario, the central question is no longer "how to detect attack patterns" but rather how to configure the system so that the decision engine processes statistical models in real time, applying business guidelines without penalizing legitimate customers. It is based on this technical need that invisible security becomes strategically relevant for e-commerce in 2026.

Digital security approaches in the customer journey

It is not always easy to decide how much control to apply at each point of the customer journey. 

Similar organizations adopt different approaches because they face different constraints: acceptable risk levels, regulatory requirements, analytical maturity, system automation capabilities, and tolerance for the impact of false positives. 

Within this scenario, two major approaches stand out: explicit security, based on visible controls, and invisible security, which operates silently in the background.

Explicit security (high friction) 

Explicit security is characterized by verification methods that are noticeable to the user. It involves the execution of visible protocols, such as two-factor authentication (2FA), document capture, facial biometrics (liveness check), SMS codes, or manual confirmations.

This type of approach is common in high-value transactions or operations with high reputational risk. In these scenarios, the priority is to ensure control and traceability.

The main benefit of explicit security is predictability. The rules are clear, the steps follow a linear flow, and decisions are often easier to explain and audit, which is essential in regulated environments.

The cost of this approach is reflected in the customer experience. The more steps and interruptions there are, the greater the chance of abandonment, lower conversion rates, and increased user frustration. 

By applying the same level of uniform verification parameters, the decision engine may classify legitimate users within suspicion criteria, increasing acquisition costs and churn. This occurs because, by adopting uniform parameters, the decision engine operates under a zone of statistical indifference. Without segmentation, the system applies the same cut-off (cut-off point) to different behaviors. Thus, a legitimate user making an atypical purchase (such as a high-value transaction at an alternative time) is processed under the same metrics as an automated attack, resulting in a false positive that increases churn.

Invisible safety (low friction)

Invisible security operates differently. Instead of requiring manual input from the user, the system continuously processes risk using trained models to identify patterns of behavior and context, such as device telemetry, geolocation, schedules, and interaction history.

In this approach, technical rigor is maintained behind the scenes, without interrupting the flow of legitimate users. When the data processed by the model generates a score within the acceptance limits (cut-offsdefined in the decision engine, the transaction is released smoothly.

This model is common in high-volume transactions, instant payments, and mobile interfaces, where latency or friction directly impacts conversion. 

The challenge lies in "silent blocking." These are results generated by the system that, although based on accurate statistical correlations, can be difficult to audit and investigate, as they require high visibility of the data and interpretability of the models.

This auditing difficulty arises because the model can identify technical signals, such as the use of a VPN or a sudden change in purchasing behavior, which are statistically correlated with risks but are also part of the routine of legitimate users. Without fine-tuning the cut-offs in the decision engine, the system ends up classifying these suitable customers within suspicion criteria.

Security as continuous assessment: The CARTA framework (Gartner)

The idea of alternating between explicit security and invisible security did not come about by chance. It was formalized by Gartner through the CARTA framework, which stands for Continuous Adaptive Risk and Trust Assessment. This model establishes continuous and adaptive risk and trust assessment as a replacement for static verification models.

The CARTA framework introduces a change in operational logic: instead of concentrating data processing at fixed, isolated points, such as login, registration, or checkout, risk is quantified statistically throughout the entire user journey.

In practice, this means that security no longer functions as a "gate" that simply allows or blocks access, but rather as a continuous stream of signal analysis. The system monitors telemetry and behavior during the session, processing variables such as: browsing patterns; technical context (device, network, geolocation); interaction history; statistical deviations from the norm.

Thus, the application of friction (explicit security) by the decision engine occurs only when the model identifies a relevant change in the risk score, requiring an additional layer of validation. Instead of systemic interruptions based on rigid rules, the system adjusts controls as behavioral data is processed.

This approach, however, requires maturity. It depends on consistent historical data, good visibility of the signals analyzed, and clear governance on how decisions are made, recorded, and audited. Without this, continuous assessment loses technical consistency, making it difficult to investigate automated decisions.

Therefore, what CARTA proposes does not eliminate the complexity of fraud prevention; it distributes that complexity strategically. Technological maturity lies in the ability to sustain a robust decision engine whose risk and trust criteria are technically aligned with the operational limits of the business.

Fraud as an economic phenomenon: The view of Shuman Ghosemajumder

A more mature way of understanding invisible security is to view fraud as an economic phenomenon. From this perspective, attacks, defense mechanisms, and levels of friction are processed as variables of cost, incentive, and financial return.

For Shuman Ghosemajumder, former CTO of Shape Security and current CEO of Reken, trust and security are not permanent states, but conditions that require continuous assessment based on observed behavior. As summarized in his participation in the GenAI Security podcast GenAI Security, the technical premise is that full and static trust cannot be established in any entity; the viability of an interaction depends on the uninterrupted analysis of behavioral data.

In practice, this system does not operate under the question "who is this user?", but rather processes "what are this user's current inputs and what is the statistical probability that they are legitimate?". Trust, therefore, is a dynamic score, increased or reduced according to the model processes new signals.

From this perspective, the strategic objective of security is not the total elimination of attacks, an unfeasible goal in large-scale digital environments, but to make fraud economically disadvantageous.

Every behavioral signal that is difficult to imitate, every element that introduces uncertainty into the flow of the attack, increases the computational and operational effort required to execute the attack. The higher this processing cost for the attacker, the lower the scalability of the fraud and, consequently, the lower the financial return from digital crime.

For legitimate users, the logic is reversed: the journey should be kept frictionless. It is this asymmetry that underpins resilient anti-fraud strategies:

• Explicit controls: fixed flows and predictable challenges are easily mappable by scripts. Once the business rule has been identified, automation to mimic the required behavior becomes technically simple.
• Behavioral and contextual signals: reduce predictability for the attacker. The need to constantly adapt scripts and tools increases the technical cost of fraud, making it unstable and difficult to scale.

Implementing this approach requires high sophistication: real-time data analysis, low latency, and high reliability. Invisible security does not eliminate the complexity of the problem; it shifts that complexity to the attacker's infrastructure, preserving the user experience.

This structural asymmetry between defense and offense is reinforced by the maxim of Ghosemajumder: while defense requires constant precision in all instances, attack needs only one flaw in the system to succeed. Therefore, configuring the decision engine to make attack financially unviable is more effective than attempting total blocking via static rules.

Excessive friction does not increase safety: Angela Sasse and safety fatigue

A recurring mistake in anti-fraud architectures is the assumption that adding more steps and obstacles will result in increased security. Academic evidence indicates the opposite: increased friction imposed by the system correlates with an increase in risky behavior by users.

This aspect of security is explored in depth by Angela Sasse, professor at University College London and one of the world's leading experts on user-centered security. Her research shows that overly intrusive system configurations not only fail to increase protection, but often reduce the effectiveness of defense mechanisms.

At work "Users Are Not the Enemy", developed with Anne Adams, Sasse argues that security flaws stem predominantly from the design of processes and system architecture, rather than from user intent.

According to the study, recurring violations do not occur because users act in bad faith or are negligent, but occur when the system ignores basic human limitations. Complex rules, unclear instructions, and excessive interruptions make usage difficult, tiring, and prone to errors.

The research highlights that the lack of clarity in the interface makes the system technically unusable, which leads to a search for ways to overcome the barriers imposed. Sasse and Adams describe this as security fatigue. When users are repeatedly subjected to friction, such as multiple authentications or challenges without context, they tend to take shortcuts. This includes: reusing passwords on different platforms; ignoring security alerts; reducing attention to risk signals; and making automatic decisions just to "move on."

A practical, everyday example of this scenario is interaction with the gov.br platform. To access different levels of services, the system requires constant transitions between trust levels (Bronze, Silver, and Gold), which demand various forms of authentication: passwords, facial recognition, integration with banks, and verification codes.

Although the system's goal is to increase technical rigor, the multiplicity of barriers in a single journey makes the process exhausting. This excess of authentication requirements saturates the user's responsiveness, generating behaviors that compromise actual security.

In e-commerce and digital services, this effect is reflected in a decline in performance: users abandon the journey, fail to complete the purchase, or avoid returning. The erosion of trust occurs silently, without necessarily triggering alerts in traditional fraud models, but directly impacting conversion and brand reputation.

This evidence reinforces an important conclusion: whenever possible, security should operate invisibly. This is not an aesthetic choice, but a strategy to preserve the integrity of the journey. By reducing excessive friction, the decision engine minimizes the induction of risky behaviors and preserves the effectiveness of actual security, allowing the system to process data smoothly and accurately.

Security as a system property: Bruce Schneier

Bruce Schneier broadens the discussion on security by shifting the focus from "isolated technical resources" to the functioning of the system as a whole. In works such as Liars and Outliers, he argues that security is not something that can be added to a product or process in isolation; it emerges from the way people, rules, incentives, and technology interact over time.

For Schneier, trust is the most important protocol in any transaction. When users encounter unexplained blockages, excessive friction, or decisions that are difficult to understand, this protocol begins to fail. Even if fraud is reduced in specific cases, the system comes to be perceived as unpredictable, unfair, or hostile in its responses.

This effect is subtle but profound. As the confidence index declines, there is a change in user behavior, with users tending to avoid digital channels, interrupt journeys, or migrate to alternatives with less technical rigor. The result is a degradation of the legitimacy of the system, a variable that is not immediately captured by fraud KPIs, but which compromises the long-term sustainability of the business.

In this context, invisible security acts as a mechanism for systemic resilience. By configuring the decision engine to reduce unnecessary friction and apply controls proportional to the statistical risk identified by the model, the system contributes to preserving transaction stability, an essential condition for the scale of any digital ecosystem.

Identity and behavioral biometrics: the contribution of Neil Costigan

When we talk about digital identity, most people think of passwords, codes sent by SMS, or, more recently, fingerprints and facial recognition. These methods are generally based on two simple questions: what you know and who you are.

Neil Costigan, one of the leading authorities on behavioral biometrics, draws attention to the technical limitations of this approach. Passwords can be leaked, shared, or guessed. Physical biometrics, although more secure, are essentially static: once compromised, they cannot be "changed" like a password.

Behavioral biometrics, however, is based on how you interact. Instead of the system requiring additional user inputs, the model processes the telemetry generated during use of the service. Variables such as typing rhythm, navigation dynamics, screen gesture pressure, and micromotor patterns are converted into data vectors that form a behavioral signature.

Processing these signals offers two structural advantages for the system:

1. Monitoring occurs throughout the session, without the need for interruptions in user data flow or extra validation steps.
2. Behavioral patterns are highly contextual and present significant technical challenges when attempting to mimic them at scale, especially for automated scripts or attackers operating with captured credentials.

This type of behavioral analysis is especially valuable at the beginning of the customer relationship, at the time of origination. At this stage, there is not yet enough transaction history to support decisions based on the past. By observing how the interaction takes place, and not just what is stated, behavioral biometrics helps reduce information asymmetry at this critical point in the journey.

This behavioral analysis of the user is technically strategic in the origination phase (initial registration). At this point in the journey, the decision engine lacks transactional history to generate scores based on past behavior. By processing how the interaction occurs in real time, and not just the declared data, behavioral biometrics reduces information asymmetry, allowing the system to generate more accurate risk ratings from the first contact.

Final thoughts

Just like a city's road infrastructure, security in e-commerce is only noticed when it fails. When traffic lights work, streets are well signposted, and traffic flows smoothly, the system goes unnoticed, and people simply trust it and move forward. 

In digital commerce, the logic is the same. The security that underpins the growth of e-commerce in 2026 is not the kind that forces constant stops to prove legitimacy, but the kind that quietly organizes decisions, allowing the customer to continue their journey while risk is handled behind the scenes.

About 4kst 

4kst is a Brazilian DeepTech company born at PUCPR, a pioneer in the development of Adaptive AI. Through proprietary Data Stream Learning technology, we create predictive models that learn and update in real time. Unlike traditional Machine Learning, our solution eliminates performance degradation and reduces maintenance costs. Two-time winner of Febraban Tech and recognized by Finep, 4kst combines cutting-edge science and high performance to keep your company ahead in dynamic markets.