1. Data & Insights

How to Protect Your Site From Credential Stuffing Attacks

Written by Posted on Less than 0 min read

Credential stuffing attacks are a costly headache, with the Ponemon Institute finding that businesses lose an average of $6 million per year due to lost customers, increased IT costs, and other fallouts. The pervasive problem of password reuse fuels credential stuffing, and we can only expect these attacks to increase as more credentials are exposed in new breaches — and posted on the Dark Web in near real time for hackers to utilize in future campaigns.

Unpacking the Credential Stuffing Problem

Credential stuffing is hardly a new security concern — 10 billion events were recorded in the first three months of 2022. In 2023, high-profile brands such as 23andMe, UnitedHealthcare, PayPal, and Norton LifeLock were hit with credential stuffing attacks. And in March of this year, streaming company Roku disclosed a credential stuffing attack that affected more than 15,000 customers. Yet the problem persists, making it a matter of when, not if, a retailer will be victimized unless it strengthens the password layer.

Credential stuffing attacks are extremely popular because they enable threat actors to conduct a range of activities, including:

  • Account Takeover: Attackers can gain unauthorized access to user accounts and steal sensitive data, financial information, or initiate other actions that result in the exposure of personal identifiable information (PII).
  • Phishing and Social Engineering: Once accounts have been compromised, they can be utilized to launch phishing and social engineering attacks, which puts other accounts at additional risk. The rise of generative artificial intelligence is contributing to this issue, as threat actors are using these tools to craft more legitimate phishing emails that trick people into sharing sensitive information.
  • Data Breaches and Privacy Violations: As mentioned, compromised credentials can be used to fuel additional data breaches, which can result in financial loss, reputational damage and privacy violations.

How to Fight Back

For these and other reasons, retailers must implement a layered security approach that eliminates credential stuffing as a threat vector. Considerations include:

  • Replace email with usernames. Email addresses have historically been the go-to for site logins, but this effectively rolls out the welcome mat for would-be credential stuffers. Requiring users to select a unique username when they register on the website makes it significantly more difficult for threat actors to launch a successful credential stuffing attack.
  • Double-down on multifactor authentication (MFA). MFA provides a strong defense against credential stuffing, however, because it also introduces friction into the login process, many consumer-facing sites are hesitant to enforce it. Brands should revisit this decision in light of the heightened threat landscape or, at the very least, require a second factor in scenarios that suggest the login attempt may be fraudulent — e.g., when using a new browser, device or IP address, or if the login originates from an unusual country or location.
  • Consider CAPTCHA. Requiring shoppers to correctly complete a CAPTCHA can prevent many automated login attempts, but the technology is far from perfect and many companies balk at enforcing it for every login. As outlined, requiring it only when the login appears unusual can help strike the right balance between security and user friction.
  • Implement risk-based authentication. A related approach is to deploy risk-based authentication tools. These assess the likelihood of account compromise at every login and require additional factors to authenticate the user if the request is deemed suspicious — e.g., a one-time password (OTP), security questions, verification links sent to email, or biometrics.
  • Ensure right-sized max failure lockout window. Another best practice is ensuring that a policy exists to lock users out after a number of failed attempts, and that it’s sized appropriately based upon the industry and the nature of the data at hand.
  • Test device fingerprinting. Retailers can implement device fingerprinting to determine when one device is linked to numerous accounts, or other suspicious device-related behavior suggestive of fraudulent activity.
  • Incorporate credential screening. Because compromised passwords are a primary driver of credential stuffing attacks, screening for their exposure at every login can go a long way in preventing the threat. There are various ways to address this, with many brands historically purchasing static blacklists of compromised or weak credentials or even curating their own. However, this approach is no match for today’s relentless onslaught of breaches as it fails to screen for newly exposed username and password pairs. Increasingly, brands are incorporating Dark Web monitoring into their password hygiene strategy, as well as vetting credentials against a real-time database to protect against credential stuffing and other threat vectors.

The Path Forward

In addition to the initial financial impact of credential stuffing, brands face reputational damage, the possibility of customer attrition, and a long road ahead to build back consumer trust. Following the steps outlined above can help retailers avoid these struggles and formulate a stronger foundation to protect not only against credential stuffing attacks, but also a variety of other password-based threats. With stolen credentials involved in over 80 percent of the breaches studied in Verizon’s most recent DBIR, it’s clear that strengthening the password layer is a security priority no brand should overlook.

Mike Wilson is the founder and chief technology officer of Enzoic, a provider of threat intelligence solutions. 

View Original Article
Member since

More from 0 Author Missing

  1. Corporate Strategy

7 Keys To Brand Evolution In A Changing World

There were brand-businesses that did not survive in 2023. Bed, Bath & Beyond, Rite Aid, SmileDirectClub, Lordstown Motors to name a few. There are several reasons for the demise of these brand-businesses. However, there are evergreen principles for building and maintaining powerful brand-businesses. Here are seven keys for evolving in a changing world. 1. Know […]
5 min read
0
  1. Department: Nonfood

The Difference Between Purpose And Value Proposition

Brand “purpose” has been all the rage in recent years. The notion of brand purpose rests on the assumption that a brand, product, or company should stand for something more important than just the functional benefits it delivers. A purpose is the reason a product or company exists and what it stands for beyond the […]
5 min read
0
  1. Data & Insights

Modernizing Retail Supply Chain Challenges With AI

The retail supply chain is undergoing a major transformation, driven by the rise of e-commerce and the increasing complexity of global supply chains. In Gartner’s 2023 Top Supply Chain Technology Trends report, “actionable AI” was named the No. 1 trend. This reflects the growing recognition among retailers that artificial intelligence is essential for modernizing and […]
3 min read
0
  1. Associates & Employees

3 Ways to Ignite Your Hourly Workers

“Scott, we’re doing all we can to support our managers, but they just can’t seem to motivate our employees. What do we do?” I meet many business leaders in my work as a speaker and consultant and I hear their challenges. Four out of five conversations are about employees. Usually it’s their hourly employees, those […]
4 min read
0
  1. Shopper & Customer

How Retailers Can Refresh Stale Triggered Campaigns

Most of the conversations I have with retailers these days are about strategies to improve the performance of their tried-and-true triggered marketing campaigns — e.g., abandon browse, search and product campaigns. Retailers are aware that having triggers for shoppers who abandoned their cart, abandoned a search or browse is now pretty commonplace, and so the […]
4 min read
0
  1. Trends & External Forces

How to Ensure Your E-Commerce Site is Compliant With Emerging Privacy Laws

Navigating the data privacy landscape these days can be daunting, particularly with the continual emergence of new state and federal regulations. We now have 13 state laws signed, and many others to come online in the next year, not to mention sector-specific laws. These have led to hundreds of lawsuits and enforcement actions. Given that […]
3 min read
0
  1. Channel: Mass

Target Launches Value-Priced Private Label Brand

Target Corp. announced it has launched a new private label product line for price-conscious consumers called dealworthy. The assortment of 400 everyday basics will include apparel and accessories, essentials and beauty, as well as electronics and home items. Items will start at less than $1 and with most under $10, the prices are designed to […]
< 1 min read
0
  1. Corporate Strategy

GoodwillFinds’ CEO Discusses the Future of Resale E-Commerce

In episode 432 of Total Retail Talks, Editor-in-Chief Joe Keenan interviews Matt Kaness, CEO of GoodwillFinds, an online, curated selection of hundreds of thousands of unique items, showcasing a wide variety of secondhand clothing, books, home decor and more. Listen in as Kaness provides an overview of GoodwillFinds (0:55), discusses his professional background and what […]
< 1 min read
0
  1. Data & Insights

Revolutionizing Retail: AI at the Helm of Mobile Commerce

Artificial intelligence allows retailers to gain a far deeper understanding of customer preferences and behaviors by analyzing information like browsing and purchase histories. Using sophisticated AI algorithms, retailers can build comprehensive profiles that reveal what individual shoppers like and need over time. This empowers retailers to provide hyperpersonalized product recommendations that closely match each customer’s […]
3 min read
0
  1. Associates & Employees

Macy’s, Wayfair Announce Job Cuts

Retail layoffs are hitting especially hard recently. Macy’s is laying off about 3.5 percent of its total headcount, which amounts to roughly 2,350 employees, and the iconic department store is closing five locations. Also last week, online furniture seller Wayfair said it is cutting about 1,650 jobs, or 13 percent of its global workforce. The Wall […]
2 min read
0
  1. Trends & External Forces

How iFIT Blends Product, Content and Technology for Personalized Fitness

In episode 437 of Total Retail Talks, Editor-in-Chief Joe Keenan interviews Kevin Duffy, CEO of iFIT, a global fitness and connected content company operating brands NordicTrack, ProForm, and Freemotion. Listen in as Duffy provides an overview of the fitness technology business (0:45), how iFIT creates engaging, personalized experiences for its members (2:15), identifies its key […]
< 1 min read
0
  1. Data & Insights

5 Trends Set to Power the E-Commerce Revolution in 2024

As we begin 2024, the e-commerce landscape is on the brink of a significant transformation. Technological advancements like artificial intelligence/generative AI coupled with evolving consumer behaviors and a global shift towards sustainability are converging to redefine the way we shop online — from the way we search for products and make payments, to the authenticity […]
3 min read
0
  1. Shopper & Customer

Online Shopping Frustration is Growing … But Retailers Can Reverse the Trend

Following a record-breaking “Cyber Five,” retailers are crossing their fingers for robust sales to continue throughout the holiday season. But as online spending rises, so does online shopper frustration — and this has the potential to harm both immediate and long-term sales. Retail data from FullStory shows that online shoppers experienced a 16.3 percent year-over-year […]
3 min read
0
  1. Data & Insights

[Report] FY 2023 State of the Home Improvement Industry

Despite economic challenges, the home improvement industry has displayed strong resilience, driven by sustained consumer interest in renovation and DIY projects. However, consumer preferences continue to shift, as more shoppings choose to make purchases online and at smaller retailers. Get an exclusive look at key trends driving the home improvement market’s performance, including: What categories […]
< 1 min read
0
Next