Retailers, like many other businesses, have probably had their fill of fraud attempts. Unfortunately, criminals have not. Between May 1 and Dec. 31, 2018, Akamai Technologies detected more than 10 billion credential-stuffing attacks aimed at retailers, accounting for more than a third of all such attempts—28 billion—in that period.
In the Web-services provider’s most recent “State of the Internet Security” report released Wednesday, Akamai says criminals like credential stuffing because it’s a numbers game. It’s an integral element in taking over a legitimate account to appear as the bona fide customer, thus skirting anti-fraud measures. In credential stuffing, criminals pull data from a database containing valid passwords and user names and attempt to get into a consumer’s online accounts, without much operator action.
“[Criminals are] counting on the fact that people recycle their passwords across a number of different accounts,” the report says. “When this happens, a compromised set of credentials from one Web site quickly translates into dozens of others.”
While retail was the top target, other sectors were not without peril. Akamai detected more than 8.1 billion attacks on the video-media segment and its almost 3.5 billion media-and-entertainment clients.
Other top targets were manufacturing at 1.3 billion; financial services and hotel and travel at 1 billion each; and social media at 960 million.
Why is retail number one? “Criminals will always take an interest in finding ways to target commerce,” Steve Ragan Akamai security researcher, tells Digital Transactions News in an email. “That’s where the money is. Some steal outright, others are looking to get an edge in the resale markets, and others still are just harvesting information to package and sell. These frameworks, while they will help retailers and financial stakeholders better protect their assets, aren’t going to stop crooks and scammers. Criminals are going to [commit] crime no matter what.” Frameworks are efforts, such as 3-D Secure, to mitigate fraud.
Many of these attacks are managed by bots that can function without operator action other than activation. Akamai says the bots often associated with credential stuffing and purchase, especially for the retail industry, are called all-on-one bots. “These bots are a multi-function tool that enables quick purchases by leveraging a number of evasion techniques and can target more than 120 retailers online,” the report says. “It isn’t uncommon to see an [all-in-one bot] sold and designed with a specific retail outlet in mind, either.”
Ragan says most all-in-one bot attacks “center on the authentication and checkout process, so anything that relies on the consumer to provide data to say, ‘Trust me, I’m real, please let me purchase this highly discounted item,’ is where I see the problems coming from.
“[All-in-one bot] operators can provide all the information needed to pose as an existing or valid consumer. But that risk score, combined with bot detection, that is where I see the win for retailers. The problem is, the people developing [all-in-one bots], they spend a lot of time doing [research and development], so they will immediately focus on the checkout process, and it’s a safe bet they’ll find something to help with evasion and avoidance techniques. This is why it is important to remember that no framework or single security solution is a silver bullet.”
As for where the targets are located, the United States is number one with 22.5 billion credential-stuffing attacks, followed by China, 2 billion; India, 1.2 billion; Germany, 792 million; and Canada, 400 million.