Skip to content

Shape Security Blog

Highlighting breaking news, events, and analyst commentary on cyber security from around the world

  • LinkedIn
  • Twitter
  • LinkedIn
  • Twitter

Key Takeaways: Retail Threat Briefing Webinar with R-CISC

In the era of Amazon and mainstream e-commerce, every online retailer has to deliver a compelling user experience across their web and mobile channels while protecting customers from cyberattacks and fraud. Recently, Shape collaborated with R-CISC to share attack data and analysis of the most prevalent threats for retailers and best practices on how Top 10 Retailers are mitigating these threats.

Watch the threat briefing video here or read a summary of the key points below.

Analysis of Top Online Retail Threats

Credential Stuffing


Credential stuffing is responsible for more than 99% of all retail account takeovers (ATOs). In one attack on a top 50 retailer, Shape identified over 13.8 million automated posts against a login endpoint, using 80,000 unique IP’s, sustained for 10 days. Prior to blocking, this retailer identified 328,000 account takeovers.

Gift Card Cracking


For some retailers Shape has observed that over 98.5% of their traffic to gift card endpoints is automated. Gift card cracking is popular because it’s relatively easy to monetize and often done anonymously. Criminals impersonate real users and steal valid gift card numbers by exploiting the retailers’ own applications for purchases, transfers and checking gift card balances.

Fake Account Creation


Fake account creation is often used for future fraud including promotions, points, fake reviews and surveys. In one client example, 16k fake accounts were attempted to be created in just a week. Stopping attacks requires the fast identification of automated attackers and manual fraudsters without adding any friction for actual customers.

Scalping


Scalping bots obtain limited availability items, often resulting in items being sold out in minutes. A common scenario is bots buying up high demand concert tickets, congesting the main user flow for everyone else, resulting in a bad user experience and brand reputation damage for a retailer’s most loyal customers.

One client experienced a staggering 99.84% of scalping traffic as part of its total traffic leading up to the November Black Friday period. The scalping traffic was instantly blocked once it started routing through Shape. Again, fast implementation is key—especially during peak online shopping periods.

How are Top 10 Retailers Preventing Attacks

Here are some of the best practices we observed from the top ten retailers who have successfully protected their businesses from the most damaging threats:

  • The entire transaction flow matters—not just login
  • CAPTCHA is not a viable option to stop automated bot attacks
  • Omni-channel protection—across web, mobile and even personal assistants like Alexa—is required to mitigate evolving attacks.

For more details on the top threats to retailers and additional best practices watch the full video:

Mengmeng_video

To learn more about Shape Security in retail visit www.shapesecurity.com.

Share this:

  • Twitter
  • Facebook

Like this:

Like Loading...

Author: Shape Security

Shape Security defends Global 2000 corporations from increasingly sophisticated automated cyber-attacks, including large-scale account takeover, credential stuffing, content scraping and content aggregation attacks on web and mobile applications. Shape has deflected over $1B in fraud losses for major retailers, financial institutions, airlines, and government agencies. Shape Security is headquartered in Silicon Valley and backed by Kleiner Perkins Caufield & Byers, Norwest Venture Partners, Venrock, Baseline Ventures, Google Ventures, and other prominent investors. Read our blog to get insights. View all posts by Shape Security

Author Shape SecurityPosted on February 27, 2018December 22, 2018Categories Shape Network, Threat LabTags credential stuffing, fake account creation, gift card cracking, Scalping, Security Trends, Webinar

Post navigation

Previous Previous post: Biggest Threat to Retail? (hint: it’s not Amazon)
Next Next post: Complying with NIST Guidelines for Stolen Passwords

Most Popular Posts

  • How Cybercriminals Bypass CAPTCHA
  • Intercepting and Modifying responses with Chrome via the Devtools Protocol
  • Detecting PhantomJS Based Visitors
  • Introducing Unminify

Categories

  • Events (8)
    • 2015 (5)
    • 2016 (1)
    • 2018 (2)
  • Products (6)
    • Blackfish (3)
    • Shape Enterprise Defense (3)
  • Shape Buzz (4)
  • Shape Engineering (20)
    • Attacks (4)
    • Browsers (4)
    • Open-source (9)
    • Reverse engineering (2)
  • Shape Perspectives (23)
    • Best Practices (5)
    • Security Trends (19)
  • Threat Lab (14)
    • Credential Spill (2)
    • Credential Stuffing (6)
    • Shape Network (6)

Archives

  • LinkedIn
  • Twitter
  • LinkedIn
  • Twitter
Shape Security Blog
%d bloggers like this: