Skip to content

Shape Security Blog

Highlighting breaking news, events, and analyst commentary on cyber security from around the world

  • LinkedIn
  • Twitter
  • LinkedIn
  • Twitter

Tag: cyber monday

Don’t Let Stolen Credentials Ruin Your Holiday Gift Giving

2016 is the year of stolen credentials used for account takeover; the holiday season, starting with Cyber Monday, is the peak time at risk for the retail industry

cyber_monday_cyber_crime

The research team here at Shape Security has been monitoring credential spills throughout the course of the year and tallying up the massive number of usernames and passwords stolen in 2016. That includes news reports of credentials spilled from data breaches at LinkedIn in May, Dropbox in August, and Yahoo in September.

The hard truth is: we just surpassed two billion stolen credentials in 2016 alone. While these numbers are staggering and perhaps make 2016 “the year of stolen credentials,” what’s more concerning is that these stolen credentials are the fuel for sophisticated automated fraud.

We’re sharing this now—as we head into Black Friday, Cyber Monday and more broadly the busiest shopping season of the year—so that retailers and consumers alike remain vigilant.

Cybercriminals are going to be shopping with these stolen credentials

Stolen credentials enable credential stuffing attacks, where cybercriminals test for the reuse of login credentials (usernames and passwords) on websites and mobile applications—including those serving up the hottest holiday gifts at the cheapest prices.

Once the cybercriminals are into a consumer’s account, the retailer’s goods are theirs for the taking. The cybercriminals can order any fancy gadget they please with the victim’s stored credit card number, change the victim’s shipping address to their own for delivery convenience, and resell the goods for cash. Of course, once they’ve maxed out one credit card, they can also rinse and repeat the process for all the other accounts they were able to crack. If there’s no stored credit card number, they can also drain reward point balances, too.

Tips for staying secure online this holiday shopping season:

  • Don’t reuse passwords across sites. Even if you’re rushing to quickly set up an account to grab the retailer’s best deal before it’s gone, take the time to generate a new, unique password. This doesn’t have to be a cumbersome process and there are tricks and systems you can use to make it easier.
  • Monitor your accounts closely and report unusual activity or charges.This includes keeping an eye out for any email or text alerts claiming you’ve had failed login attempts to a certain site, if you hadn’t actually tried to log in. Always navigate to a website directly if contacted over email or text, rather than clicking on one of the message’s included links, so you can ensure you’re not falling victim to phishing by clicking on a password-change link sent by an attacker.
  • Keep an eye on your gift card and reward point balances. Gift cards and loyalty program points are essentially just one step removed from cash for cybercriminals. Your hard-earned rewards, such as airline miles, can easily be monetized by cybercriminals in automated fraud schemes. Keep an eye on how many points you have, and let the affiliated site know if you notice an unexpected change.

While consumers may be preparing to wait up in the wee hours of the night to buy the hottest new VR headset, GoPro drone, Apple Watch or Fitbit, the hottest item for cybercriminals this holiday season is stolen credentials. Don’t let yours be their gift!

For more on what retailers can do to stop automated fraud this holiday season, read Shape’s customer case studies on how one retail giant stopped $25M in a single year from fraudulent transactions and chargeback fees.

Share this:

  • Twitter
  • Facebook

Like this:

Like Loading...
Author ShumanPosted on November 23, 2016December 21, 2018Categories Best Practices, Shape PerspectivesTags account takeover, Credential Spill, credential stuffing, cyber monday, fraud, retail, Security Trends

Most Popular Posts

  • Intercepting and Modifying responses with Chrome via the Devtools Protocol
  • How Cybercriminals Bypass CAPTCHA
  • Pokémon Go API - A Closer Look at Automated Attacks
  • Detecting PhantomJS Based Visitors

Categories

  • Events (8)
    • 2015 (5)
    • 2016 (1)
    • 2018 (2)
  • Products (6)
    • Blackfish (3)
    • Shape Enterprise Defense (3)
  • Shape Buzz (4)
  • Shape Engineering (20)
    • Attacks (4)
    • Browsers (4)
    • Open-source (9)
    • Reverse engineering (2)
  • Shape Perspectives (23)
    • Best Practices (5)
    • Security Trends (19)
  • Threat Lab (14)
    • Credential Spill (2)
    • Credential Stuffing (6)
    • Shape Network (6)

Archives

  • LinkedIn
  • Twitter
  • LinkedIn
  • Twitter
Shape Security Blog
%d bloggers like this: