Retailers lost a whopping $57B to online attacks in 2017, eclipsing losses from shoplifting and inventory shrinkage. The biggest online threat: “Account takeover,” or ATO, wherein fraudsters steal the credentials of legitimate customers. Attackers aren’t just hurting bottom lines; they’re also harming consumer faith overall.

Attacks are escalating in size and scope. By December 2017, some 10 million credentials were spilling onto the web each day. Criminals, working in concert across time-zones and national boundaries, use those credentials to overwhelm even the savviest retailers. Big investments in security, by themselves, haven’t foiled these attacks.

The stark reality for every e-commerce retailer today is that online fraud is the biggest threat to your business.

So what is a retailer to do?

Shape’s answer might surprise you: We believe that retailers should run in packs. Just as criminals share information and ingenuity across networks, so too retailers must band together to defeat them—both by understanding the threat and by developing cross-company defenses.

There is Safety in Numbers

Already, many retailers have joined industry groups like the Retail Cyber Intelligence Sharing Center and the Merchant Risk Council, where they trade tips about criminal activity and how to respond. Some retailers are also deploying collective defense capabilities. A network like Shape’s Blackfish uses real-time attack data from many of the world’s largest consumer sites. Then Blackfish can alert companies in the network to known threats, so they can block them—before an attack even takes place.

Collective defense capabilities help retailers defeat many of the most dangerous online attacks.

Top Three Online Attacks Against Retailers

1) Credential Stuffing

Easy, effective and powerful, credential stuffing is a tool of choice for cybercriminals—and is the fastest-growing security issue facing retailers today.

How it works: Criminals grab readily available usernames and passwords and use them to attack retail websites. On a typical retail website, credential stuffing makes up 50-70% of total traffic. In some cases, that number exceeds 95%. Once they get in, criminals can make purchases using credit cards linked to the account or drain gift cards.

Credential stuffing is difficult to eliminate because criminals adapt to defensive measures quickly, often within 12 to 24 hours. They’re able to invest in rapid response because the profit margins are high. Defeating credential stuffing is very difficult for a single retailer in isolation—but is manageable as part of a network of allied retailers.

2) Creating Fake Accounts

With a fake account, a criminal can exploit stolen credit cards, defraud other users, reap new-customer perks, and much else. Creating fake accounts at scale requires either automation (i.e. programs that impersonate real users) or mechanical Turks (low-wage workers). Either way, the traffic flows through the same channels as legitimate new customer accounts.

The last thing a retailer wants to do is to muck up that channel—or introduce any sort of friction for new customers. That’s why a solution that protects against automated and manual fraud is critical. It can eliminate fake accounts without affecting real users at all.

3) Cracking Gift Cards

Gift card cracking occurs when criminals correctly guess a valid gift card number which has a non-zero balance. At that point, the criminals either transfer the balance to a card they control, or sell the card on a site like Raise.com or eBay.

How does the criminal guess a valid number? He gets a little help from the retailers. Every retailer operates a website or mobile app that allows customers to make purchases or check gift card balances. Criminals exploit these portals. They use programs that impersonate real users and try every possible gift card number. Soon enough, the criminal will have a trove of valid gift card numbers primed for crime.

Customer-selected PINs and other authorization steps have proven flimsy defenses—and so, retailers often face a difficult choice. Many preventative measures create more friction for their customers. But with a real-time adaptive application defense system, retailers can actually block attacks without customers even realizing it.

Additional Reading

Here are some additional resources to help you stay ahead of the threats:

NIST provides digital identity guidelines on detecting stolen passwords
R-CISC is a community for cybersecurity practitioners in the retail industry
MRC is an industry association for e-commerce payment and risk professionals

To learn more about these threats, explore new attack techniques from the holiday season and best practices we observed from Top 10 Retailers, watch our Retail Threat Intelligence Briefing webinar on-demand.

Author: Shape Security

Shape Security defends Global 2000 corporations from increasingly sophisticated automated cyber-attacks, including large-scale account takeover, credential stuffing, content scraping and content aggregation attacks on web and mobile applications. Shape has deflected over $1B in fraud losses for major retailers, financial institutions, airlines, and government agencies. Shape Security is headquartered in Silicon Valley and backed by Kleiner Perkins Caufield & Byers, Norwest Venture Partners, Venrock, Baseline Ventures, Google Ventures, and other prominent investors. Read our blog to get insights. View all posts by Shape Security