A Massive Bump In Data Breaches Is Stoking Bot-Driven Attacks On Retailers
As Originally published in Forbes
Rarely does a month go by without the news of another large data breach at some company, organization or government entity. Recently, there was a massive breach of an Exactis marketing firm database that contained 340 million records of personal information on American adults and businesses and a breach of 27 million records on concert and sporting event ticketing site TicketFly. Ninety-two million users were breached on online genealogy platform MyHeritage, and untold numbers of Adidas customers in the U.S. were compromised. We are well into the billions of breached accounts globally.
At the same time, we have seen marked increases in the volumes of bot-driven attacks. In Q1 2018, LexisNexis ThreatMetrix detected 210 million attacks, a 62% increase over last year. The most rapid growth of attacks was on the e-commerce industry. In fact, e-commerce transactions are now more than 10 times more likely to be fraudulent as compared to transactions in financial services.
Botnet operators use automated tools and a botnet of compromised PCs, smartphones or IoT devices to test password and user credential pairs across thousands of sites. Once they find a match, they seek to log in to numerous other sites using that proven username/password combo. When successful, they take over the account and use it for making unauthorized purchases, which are resold for profit. Called “account takeover” or “credential stuffing,” this is the fastest-growing type of bot-driven attacks.
So is this massive growth of the target pool of purloined user information stoking the growth of bot-driven attacks on websites? The answer is, almost certainly, yes. In my firm's observations, based on data collected from billions of daily requests we protect for some of the world's largest websites, we see a steady and alarming increase in credential-stuffing attacks, growing in complexity and sophistication. In fact, the sheer size of the supply of stolen user information is radically changing the cybercrime landscape, causing major spikes in multiple types of online fraud and also shifting the nexus of fraud more heavily toward e-commerce companies.
Here’s why: The vast majority of people who use the internet to shop, purchase travel or send email reuse the same passwords across multiple sites. At the same time, the growing pool of stolen credentials fed by unending data breaches gives cybercriminals a far greater supply of ammunition to try to break into existing valid accounts. This availability has pushed the success rates of fraudsters to all-time highs and attracted more professional fraud rings.
Those rings, in turn, are building increasingly sophisticated botnets and rapidly upgrading bots and scripting tools to better evade existing security technologies. And it’s become a fast-growing, multibillion-dollar business. Businesses lost $5.1 billion alone in 2017 from account-takeover attacks.
The Problem Of Password Promiscuity
How bad is the password promiscuity problem? The estimates of its prevalence vary. In a recent survey by LogMeIn, 59% of respondents reused passwords. This means that if a hacker can validate a single password and username or email combo on one site, chances are it will work on multiple other sites. The average user today, according to one survey, has 27 password-protected accounts — and many of those likely have credit card information associated, allowing for purchases of goods and services.
This is far too many passwords for a mere mortal to remember. Despite this reality, only 17% say they use some form of digital secure password manager (most people use lists on paper, which is frightening). And that’s only some of the time. Only 7% of people solely store their passwords in that manner, according to Pew.
At the same time, online merchants have been reluctant to put in place stronger security requirements such as two-factor authentication (2FA) that would stop account-takeover attacks. Retailers fear adding friction will cause shoppers to abandon transactions. Banks, on the other hand, have more aggressively adopted 2FA requirements — and they can, because bank accounts are sticky and indicate regular dedicated activity. Online merchants must fight for each customer every time that customer lands on the site.
There are also clear indications that the darknet is growing more organized, making it more dangerous. In December 2017, researchers at 4iQ found the most extensive and advanced database yet to be discovered holding 1.4 billion email and password combinations. The passwords were in plain text. The cybercriminals had already completed the hard work of decrypting the breached information. The database was not from a single breach but was actually a merged and cleaned compilation from breaches including Netflix, LinkedIn, MySpace and more.
In our own observations of attacks on sites we protect, we are seeing a much higher success rate of account-takeover attempts: Average success rates range from 0.5% to 1% with a peak of 8%. This may not sound like much, but it’s a shockingly high amount considering that most account takeover attacks involve hundreds of thousands or millions of attempts per day.
Security roadblocks such as CAPTCHAs are no longer effective in winnowing out bots. That’s because the savvy botnet operators now direct CAPTCHA pages to human labor farms, where the cost is less than a dollar to solve 1,000 CAPTCHA challenges in real time. The farms are another outgrowth of the massive spike in breaches, fueled by the growth in credential stuffing attacks.
The vicious cycle of more breaches fueling a more professional and dangerous cyberfraud ecosystem peopled by professional fraudsters shows no signs of abating. This year will likely break new records for both breaches and account takeovers. With 20 billion IoT devices expected to be online by 2020, every single online retailer will likely be a victim of multiple account-takeover attempts in the coming year as botpocalypse becomes a part of doing business on the modern internet.
What does all that means for you? If you are running a website or large application, you are likely already a target for these kinds of attacks. Look for signs of bot attacks, and be proactive in monitoring for potential breaches as could be indicated by an increase in failed login attempts on your web or mobile APIs. You should also assess the potential damage and how such a breach will impact your business (reputation, liability and financial damages) and decide if you need a dedicated bot protection solution to help you mitigate this risk.