According to a recent report by the Identity Theft Resource Center there was a 68% increase in data breaches in 2021 compared to 2020, attributing last year the highest number of data breaches ever reported. Since much of this compromised data will include email and password combinations, cybercriminals have been given even more assets to perform account takeover (ATO) attacks.
ATOs occur when a cybercriminal steals login credentials to perform identity theft and fraud. Attackers typically purchase a list of credentials from the dark web and launch an army of bots at popular websites to test username and password combinations during login attempts.
Once the bot has identified validated credentials, the attacker will then access online accounts to steal personal or financial information, withdraw cash, redeem loyalty points, open new lines of credit , make purchases, or resell validated credentials to other attackers for further exploitation. .
With 65% of people By using the same password or a variation across multiple accounts, cybercriminals can often use a validated set of credentials to gain access to other sites. This means that once attackers identify a valid combination, they can step up their efforts, target other sites and generate even more illegal revenue.
ATOs have traditionally been more focused on financial services organizations, but as more people have turned to online shopping throughout the pandemic, this has put retailers firmly at the top of the hacker list.
An increase in ATO attacks from retailers
Over the past two years, ATO fraud has increased dramatically due to discounts for stolen user data on the dark web and cheap bots for hire. This has led to a significant increase in attacks targeting retailers, with PerimeterX Research revealing that in the last seven months of 2020, on average, more than 75% of all login attempts to e-commerce sites were ATOs. To put this number into perspective, during Cyber 5 2021PerimeterX has prevented over $1.5 billion in attempted fraudulent purchases, showing just how much businesses stand to lose from ATO attacks.
Today, thanks to this proliferation of these bot-for-hire services, ATO attacks have never been easier or cheaper to perform. Rather than manually verifying valid user credentials on sites, attackers will deploy bots to automate the process, resulting in a much faster success rate. It also makes ATOs much harder to detect because bots often mimic user behavior. If a retailer is suspicious of traffic activity and suspects a bot, without the proper tools, it could lead to actual traffic being blocked or a negative customer experience.
These attacks pose a major threat to retailers and consumers, with research also reveals that 22% (24 million households) of American adults have been victims of account takeover. Retailers also stand to lose billions from the threat of chargebacks or loss of merchandise, as well as significant brand damage from negative media publicity and criticism from customers who experience identity fraud. from the ATOs.
Given the risks of ATOs, it is paramount for retailers to disrupt the Web Attack Lifecycle, which describes the cyclical and continuous nature of cyberattacks involving the theft, validation, and fraudulent use of identity and account information. . Protecting users’ account and identity information throughout their digital journey is absolutely critical.
To protect and mitigate ATOs, here are some steps to consider:
1. See yourself as a target.
Too often, retailers don’t see themselves as a target, but this puts them at increased risk. Never think that you are too small or too unknown to be hit by attackers, as this makes you more vulnerable. Instead, consider yourself a target, prepare for attacks, and never let your security guard down.
2. Deploy firewalls (WAF or ADC).
Firewalls will allow retailers to block incoming traffic to specific ports and will also allow them to add signatures for specific types of attacks or exploits. Putting a Web Application Firewall (WAF) in front of your application is table stakes. Often, WAFs are included in Application Delivery Controllers (ADCs). All major cloud providers offer WAFs and ADCs as a service.
3. Threat Intelligence Platform and Subscription.
Deploying a firewall alone is not enough, as attacks are constantly evolving. Therefore, having an active threat intelligence platform and a live threat feed allows retailers to keep pace with ever-changing attacker techniques.
4. Detection and analysis of volumetric traffic.
This method allows web security teams to identify web traffic and spot spikes that might be down due to the work of bots. If usage increases during normally off-peak hours, this could be a signal indicating an ATO attack. Likewise, abrupt changes in shopping behavior, transfer of loyalty points, or mass password resets are all triggers that should trigger further analysis and tougher challenges for dubious queries and users. .
5. Machine learning pattern recognition and behavioral analysis.
The most advanced security tools retailers can deploy to stop ATOs rely on machine learning to detect and identify bots from real user activity. These solutions identify the most sophisticated bot techniques and block automated web attacks. Using machine learning models, behavioral and predictive analytics, they have the sensitivity to see traffic patterns and can quickly detect and mitigate modern ATO attacks. This should be a priority for all retailers concerned about ATOs.
As more and more households turn to the digital world as their primary method of interacting with brands and purchasing products, cybersecurity must become inherent to e-commerce websites. ATO attacks offer cybercriminals a double-edged sword where they can cause damage and steal money from the customer and the retailer. Protecting against these attacks by disrupting the web attack lifecycle and implementing the right solutions should be a top priority for all e-commerce sites today.
Tony Klor is a safety evangelist at PerimeterX, a leading provider of solutions that detect and stop misuse of identity and account information on the web. Prior to joining PerimeterX, he held roles at TypingDNA and mobile analytics company Appsee, which was later acquired by ServiceNow. Klor holds a bachelor’s degree in business management, with a major in entrepreneurship, from the University of South Carolina.