The research team here at Shape Security has been monitoring credential spills throughout the course of the year and tallying up the massive number of usernames and passwords stolen in 2016. That includes news reports of credentials spilled from data breaches at LinkedIn in May, Dropbox in August, and Yahoo in September.
The hard truth is: we just surpassed two billion stolen credentials in 2016 alone. While these numbers are staggering and perhaps make 2016 “the year of stolen credentials,” what’s more concerning is that these stolen credentials are the fuel for sophisticated automated fraud.
We’re sharing this now—as we head into Black Friday, Cyber Monday and more broadly the busiest shopping season of the year—so that retailers and consumers alike remain vigilant.
Cybercriminals are going to be shopping with these stolen credentials
Stolen credentials enable credential stuffing attacks, where cybercriminals test for the reuse of login credentials (usernames and passwords) on websites and mobile applications—including those serving up the hottest holiday gifts at the cheapest prices.
Once the cybercriminals are into a consumer’s account, the retailer’s goods are theirs for the taking. The cybercriminals can order any fancy gadget they please with the victim’s stored credit card number, change the victim’s shipping address to their own for delivery convenience, and resell the goods for cash. Of course, once they’ve maxed out one credit card, they can also rinse and repeat the process for all the other accounts they were able to crack. If there’s no stored credit card number, they can also drain reward point balances, too.
Tips for staying secure online this holiday shopping season:
- Don’t reuse passwords across sites. Even if you’re rushing to quickly set up an account to grab the retailer’s best deal before it’s gone, take the time to generate a new, unique password. This doesn’t have to be a cumbersome process and there are tricks and systems you can use to make it easier.
- Monitor your accounts closely and report unusual activity or charges.This includes keeping an eye out for any email or text alerts claiming you’ve had failed login attempts to a certain site, if you hadn’t actually tried to log in. Always navigate to a website directly if contacted over email or text, rather than clicking on one of the message’s included links, so you can ensure you’re not falling victim to phishing by clicking on a password-change link sent by an attacker.
- Keep an eye on your gift card and reward point balances. Gift cards and loyalty program points are essentially just one step removed from cash for cybercriminals. Your hard-earned rewards, such as airline miles, can easily be monetized by cybercriminals in automated fraud schemes. Keep an eye on how many points you have, and let the affiliated site know if you notice an unexpected change.
While consumers may be preparing to wait up in the wee hours of the night to buy the hottest new VR headset, GoPro drone, Apple Watch or Fitbit, the hottest item for cybercriminals this holiday season is stolen credentials. Don’t let yours be their gift!
For more on what retailers can do to stop automated fraud this holiday season, read Shape’s customer case studies on how one retail giant stopped $25M in a single year from fraudulent transactions and chargeback fees.