MercadoLibre protects 90% of sellers with Twilio authentication solutions

User with a plus sign


registered users

Twilio Lookup logo

4K product

searches per second

Dollar currency symbol

7 sales

per second

While English speakers equate online shopping with Amazon or eBay, those two e-commerce destinations aren't on top of the list for Latin Americans. MercadoLibre, Spanish for 'free market,' is the largest e-commerce player in the region. And with 4,000 product searches and seven sales per second, they’ve got a loyal and active following.

Things have paid off in a big way. With 190 million registered users, and 85 million products published daily, MercadoLibre’s growth has gone through the roof.

Recognizing When Customers Need Security

In May 2017, MercadoLibre reached a milestone of having 1 million products sold in a single day.
That level of activity allows MercadoLibre the opportunity to learn a great deal about their buyers and sellers, including the fact that a many MercadoLibre users are not particularly tech savvy, don’t know much about online security, or may not be aware of the potential criminality (hackers, identity theft, etc.) that exists online. This is especially important to the many Latin American businesses who sell via MercadoLibre and rely on the security of the platform. For over 400,000 merchants, MercadoLibre is their main, or only, ‘storefront.’

Because of their user’s general lack of familiarity with online security, MercadoLibre could not go full steam ahead with the usual methods of account protection. “We knew our users needed a way to buy and sell that presented as little friction as possible,“ explained Pablo Abad, MercadoLibre’s Head of Site Security, “so we had to provide a strong safety net that was virtually invisible to the user.”

In their discovery process, Abad and team came to understand that they had many different segments of users: “On one end of the spectrum there are casual buyers who don’t see security as a necessity. Next up are the users who want protection but don’t want any inconvenience. Then there are sellers managing lots of high-value transactions and who are willing to do what it takes to receive very high security.”

“For those power-sellers,” concluded Abad, “we felt that having the common security baseline of validating through email was simply not enough.”

Payments & Shipping Require Security Too

The company was also motivated by their own success. As the popularity of the marketplace grew, MercadoLibre created an ecosystem of services to better support online transactions. One of these, MercadoPago, uses technology to improve the way people pay for, and receive payments for, goods delivered through the marketplace.

“Basically, MercadoPago plays a role for MercadoLibre similar to what PayPal used to do for eBay,” explains Abad. As more and more money was deposited in escrow in MercadoPago, the company decided to step-up security to safeguard against fraud prevention. Meanwhile, MercadoEnvios, a shipping service, furthered the need for an integrated suite of security solutions designed to reduce transactional friction among marketplace participants.

Layered on top of this are compliance issues. Being a public company that stores customer data in the cloud, MercadoLibre was cognizant of being SOX compliant. And since MercadoPago is a payment processor, they must also comply with PCI (Payment Card Industry) regulations. “Both of these compliance standards require us to raise the bar regarding the security we provide to our users,” added Abad.

Outlining A Cross-System Solution

Before honing in on an acceptable user verification solution, MercadoLibre evaluated building security in-house. They also looked at innovations in biometric technology, which were deemed too new or complex for their users.

“Another challenge is that MercadoLibre has a huge user base and no control of the kind of devices used to access the platform,” Abad acknowledged. “So we needed our solution to be as easy as possible and be compatible with any system or equipment.”

Having 30% of its workforce in the IT department, MercadoLibre knew what they wanted, and outlined blueprints of the optimum approach for verifying users. “We ended up choosing Twilio Phone Verification as it was nearly identical to our own plans,” said Abad, “but with Twilio, it was already built. That let us get to market faster, and protect our users even sooner than we could have if building our own solution.”

An Incremental Approach

With a relatively friction-free registration process, MercadoLibre gains extra information with subsequent actions, from sign-in to first purchase or sale. This allows a variety of security options: low-value transactions may have entry-level protection like username and password, while the stronger security of phone verification can be implemented to protect sales of a higher value, like appliances, jewelry, mobile phones, and automobiles.

Additionally, because they operate in multiple countries, MercadoLibre is regulated by varying laws overseeing how much user data is required to conduct online sales. For some operations that could be a challenging puzzle, but the company realized that their incremental approach to security is perfectly adaptable to meet each country’s needs.

Then there’s the question of whether or not to make security mandatory. “We strongly encourage our biggest sellers to enable 2FA, but it’s currently optional,” Abad explains before adding, “with exceptions.”

For example, as MercadoPago became more integrated into the transactional process, the company found themselves providing credit to sellers so they can replenish their stock while still selling, and providing cash advances to others. “For these types of financial movements, we mandate having a second-factor of security enrolled in, and enabled, beforehand.”

MercadoLibre also automatically initiates a phone verification event when witnessing suspicious or unusual transactions: either a user publishing something that is out of their normal value range or an account that abruptly changes its buying patterns. In cases like these, MercadoLibre brings the user through a screening process that includes account verification via phone.

Immediate Integration

“Integration was extremely fast,” laughed Abad, recalling that implementation with Twilio’s Phone Verification API took no more than ten days. “It was a nice surprise. We aren’t used to being able to integrate with a third-party so easily.”

“We usually decide what we want to do and then just start doing it,” he continued. “This time, we realized there was a solution that met all of our needs and was very easy to implement.”

There’s also the fact that DIY-systems come with inherent maintenance and customer support issues. “You know,” admitted Abad, “it gets to be a big nightmare when users do things like change phones or change phone numbers over and over. We like the fact that Twilio handles so much of the back-end issues that happen time and again.”

Security Improves Sales

For the nine million sellers and 27 million buyers using MercadoLibre’s platform every day, adoption of new security options is slow, but inroads are being made. For instance, over 95% of transactions currently go through MercadoPago, which, since providing better security, has impacted the typical sales profile in a really positive way.

Abad explains: “Before we launched MercadoPago, most items sold in the marketplace were used goods. Since shifting to a more secure marketplace, most goods sold are brand new and of a higher price point. Payment patterns have also changed, and since we guarantee returns and provide insurance against damaged goods, adoption of our security steps has increased significantly.”

“This was the first time we decided to buy a solution instead of building our own. Twilio met all our needs and was very easy to integrate.”

Pablo Abad Head of Site Security

Education & Adoption

The bigger challenge, Abad admitted, surrounds user communications. “Getting buyers and sellers to understand the benefits of security improvement—and to get them to enroll—is a constant challenge. But that is something we would have had to do regardless of the solution chosen.”

Currently, they promote security adoption in three ways.

  1. Marketing campaigns to that highlight the benefits of a secure marketplace.
  2. Direct outreach to power sellers to explain the advantages of seller protection.
  3. In-market cross-selling to remind non-adopters to upgrade.

Customer education remains a clear focus, as promotional results are mixed. “Over 90% of our top sellers are currently protected by 2FA,” Abad proudly reported, before clarifying “but less than 2% of our buyers are protected.”

What's Next For MercadoLibre?

In creating a superior and secure marketplace, MercadoLibre has earned one of the highest Net Promoter Scores (NPS) for customer experience and loyalty. And they rank as the undisputed e-commerce leader in the region. Amazon comes in second in select markets such as Mexico and Venezuela but doesn’t even rank among the most popular in many other Latin American countries.

However, as overall Internet and mobile usage continue to grow, competition is increasing. According to Abad, a more competitive environment will no doubt create the need for new ways to authenticate as buyers and sellers move through the different stages of usage.

“At this moment, over 50% of our daily active users are protected with a verified phone line. And over 62,000 of our biggest sellers protect their accounts with Twilio 2FA,” reported Abad, noting these figures are continually growing. “We’re working on a new model to empower each type of MercadoLibre user to self-select which level of security is best suited for their particular situation,” he added. “We’ll provide different options and focus on following the user experience over time to suggest and ramp up security when it makes sense.“

“It’s a complex undertaking,” he stated, “but knowing that Twilio is also thinking about these issues full-time allows us to simultaneously work on all the other aspects of building a better MercadoLibre.”

Ready to get started with Twilio?