Overcoming credential stuffing for online retailers
Published 24 November 2020
In recent years we have seen serious cyberattacks on retailers and e-commerce providers like Lazada, RedMart, Eatigo, Bigbasket, and Adidas.
These attacks can cause disastrous reputational and monetary damage as a result of cybercriminals gaining access to valuable customer information.
According to Shape Security (Part of F5), over 90% of customers who log on to an e-commerce site are Automated BOTs fraudulently gaining access to inventory information, pricing, and user accounts through breached username and password data.
This is commonly known as credential stuffing, and is the single largest source of account takeover and automated fraud, which can be caused by misconfigured databases or servers, malware or phishing attacks, probing forums for software vulnerabilities, and criminals testing data found from previous breaches at unrelated companies on your site.
“The problem was with other websites. Our customers reuse the same passwords across multiple sites. When other sites get breached, fraudsters use those spilled credentials to hijack my customers’ accounts,” said one Fortune 100 retailer’s Chief Information Security Officer.
This form of attack can cost the retail industry more than US$16 million every day through hijackers monetising stolen merchandise and whole accounts, committing return fraud, and exploiting saved credit cards or gift cards.
Online retailers expose themselves to credential stuffing, as they seek to design a smooth user experience for customers at the expense of imposing security measures that could lead to customers abandoning their card.
We could see even more of these attacks happen, especially as credential stuffers hide their activity during popular sales like Singles Day, Black Friday and Cyber Monday when web traffic for retailers increases significantly.
“‘With Singles Day upon us, Black Friday and Cyber Monday around the corner, and Christmas fast approaching, now is the perfect time for credential stuffers to target retailers. You need to protect your business now before it is too late,” said Shahnawaz Backer, the Principal Security Advisor at F5.
Identifying credential stuffing
One common trait of credential stuffing is that cyberattackers can go unnoticed if they replicate the actions of a real user, which can be incredibly scalable and efficient for the threat actor.
But with the right monitoring and detection solution, an organisation can identify credential stuffing attacks by pinpointing vast numbers of traffic to the site from automated sources, a high volume of attempted logins, low login success rates from specific IP addresses, and a lack of keystrokes and mouse movements from users.
These can have damaging effects on a business by placing heavy load and cost on infrastructure, which is becoming increasingly pertinent with the rising profile of data centers. Customers can also suffer from slower login times, affecting user experience and potential revenue, while marketing teams can waste marketing spend if they identify analytic trends unrepresentative of actual users.
Once identified, IT teams can begin blocking automated traffic to overcome credential stuffing.
Overcoming credential stuffing
There is no easy way to prevent credential stuffing, as there are no simple patches or updates you can make to your software.
Some suggest using different authentication systems to replace passwords like CAPATCHAs and two-factor authentication, but retailers loathe these solutions because it could lead to poor user experience and loss of potential revenue.
With the growing ubiquity of biometric authentication like fingerprints and facial recognition on mobile devices, retailers could use this to replace passwords, but cybercriminals have already found ways to produce false fingerprints using high resolution images. As for facial recognition, we are already seeing convincing deepfakes fool consumers using machine learning and AI, which cyberattackers could easily use for credential stuffing if the value is there.
These attacks are also becoming increasingly sophisticated, as highly distributed infrastructures become more common and mobile sites offer omnichannel attack points along with traditional websites.
So how can we overcome credential stuffing if there are no simple solutions?
Organisations must work with specialists who have the tools and the knowledge to fight back against credential stuffing.
Shape Security has a number of tools used by some of the biggest retailers in the world to put a stop to credential stuffing.
Shape worked with a Fortune 500 retailer to identify more than 15.5 million account login attempts over a four month period and found over 500,000 accounts were on the spilled credentials list by tracking credentials that are actively exploited across their network.
As a result, the retailer saw two major automated attacks during Cyber Monday sales, with over 20,000 login attempts on their traditional web application as well as their mobile API.
Once Shape turned on blocking mode, the retailer saw a marked decrease in attacks until the credential stuffer gave up. Since then, the retailer eliminated tens of millions of dollars in fraudulent transactions and chargeback fees.
“The Shape team worked with my team to go live in two weeks from start to finish. Unlike traditional security solutions, we don’t need more training or headcount to get value out of Shape’s solution. They’ve completely blocked the attackers without inconveniencing my users or imposing on my team,” said the CISO of the Fortune 500 retailer.
Not only that, but Shape protects 40 million end-users in the retail industry and secures almost 800 million transactions every week for retailers.
By Stuart Crowley, Editor, W.Media