Skip to content

Shape Security Blog

Highlighting breaking news, events, and analyst commentary on cyber security from around the world

  • LinkedIn
  • Twitter
  • LinkedIn
  • Twitter

Tag: gift card cracking

Key Takeaways: Retail Threat Briefing Webinar with R-CISC

Key Takeaways: Retail Threat Briefing Webinar with R-CISC

In the era of Amazon and mainstream e-commerce, every online retailer has to deliver a compelling user experience across their web and mobile channels while protecting customers from cyberattacks and fraud. Recently, Shape collaborated with R-CISC to share attack data and analysis of the most prevalent threats for retailers and best practices on how Top 10 Retailers are mitigating these threats.

Watch the threat briefing video here or read a summary of the key points below.

Analysis of Top Online Retail Threats

Credential Stuffing


Credential stuffing is responsible for more than 99% of all retail account takeovers (ATOs). In one attack on a top 50 retailer, Shape identified over 13.8 million automated posts against a login endpoint, using 80,000 unique IP’s, sustained for 10 days. Prior to blocking, this retailer identified 328,000 account takeovers.

Gift Card Cracking


For some retailers Shape has observed that over 98.5% of their traffic to gift card endpoints is automated. Gift card cracking is popular because it’s relatively easy to monetize and often done anonymously. Criminals impersonate real users and steal valid gift card numbers by exploiting the retailers’ own applications for purchases, transfers and checking gift card balances.

Fake Account Creation


Fake account creation is often used for future fraud including promotions, points, fake reviews and surveys. In one client example, 16k fake accounts were attempted to be created in just a week. Stopping attacks requires the fast identification of automated attackers and manual fraudsters without adding any friction for actual customers.

Scalping


Scalping bots obtain limited availability items, often resulting in items being sold out in minutes. A common scenario is bots buying up high demand concert tickets, congesting the main user flow for everyone else, resulting in a bad user experience and brand reputation damage for a retailer’s most loyal customers.

One client experienced a staggering 99.84% of scalping traffic as part of its total traffic leading up to the November Black Friday period. The scalping traffic was instantly blocked once it started routing through Shape. Again, fast implementation is key—especially during peak online shopping periods.

How are Top 10 Retailers Preventing Attacks

Here are some of the best practices we observed from the top ten retailers who have successfully protected their businesses from the most damaging threats:

  • The entire transaction flow matters—not just login
  • CAPTCHA is not a viable option to stop automated bot attacks
  • Omni-channel protection—across web, mobile and even personal assistants like Alexa—is required to mitigate evolving attacks.

For more details on the top threats to retailers and additional best practices watch the full video:

Mengmeng_video

To learn more about Shape Security in retail visit www.shapesecurity.com.

Share this:

  • Twitter
  • Facebook

Like this:

Like Loading...
Author Shape SecurityPosted on February 27, 2018December 22, 2018Categories Shape Network, Threat LabTags credential stuffing, fake account creation, gift card cracking, Scalping, Security Trends, Webinar

Biggest Threat to Retail? (hint: it’s not Amazon)

Biggest Threat to Retail? (hint: it’s not Amazon)

Retailers lost a whopping $57B to online attacks in 2017, eclipsing losses from shoplifting and inventory shrinkage. The biggest online threat: “Account takeover,” or ATO, wherein fraudsters steal the credentials of legitimate customers. Attackers aren’t just hurting bottom lines; they’re also harming consumer faith overall.

Attacks are escalating in size and scope. By December 2017, some 10 million credentials were spilling onto the web each day. Criminals, working in concert across time-zones and national boundaries, use those credentials to overwhelm even the savviest retailers. Big investments in security, by themselves, haven’t foiled these attacks.

The stark reality for every e-commerce retailer today is that online fraud is the biggest threat to your business.

So what is a retailer to do?

Shape’s answer might surprise you: We believe that retailers should run in packs. Just as criminals share information and ingenuity across networks, so too retailers must band together to defeat them—both by understanding the threat and by developing cross-company defenses.

There is Safety in Numbers

Already, many retailers have joined industry groups like the Retail Cyber Intelligence Sharing Center and the Merchant Risk Council, where they trade tips about criminal activity and how to respond. Some retailers are also deploying collective defense capabilities. A network like Shape’s Blackfish uses real-time attack data from many of the world’s largest consumer sites. Then Blackfish can alert companies in the network to known threats, so they can block them—before an attack even takes place.

Collective defense capabilities help retailers defeat many of the most dangerous online attacks.

Top Three Online Attacks Against Retailers

1) Credential Stuffing

Easy, effective and powerful, credential stuffing is a tool of choice for cybercriminals—and is the fastest-growing security issue facing retailers today.

How it works: Criminals grab readily available usernames and passwords and use them to attack retail websites. On a typical retail website, credential stuffing makes up 50-70% of total traffic. In some cases, that number exceeds 95%. Once they get in, criminals can make purchases using credit cards linked to the account or drain gift cards.

Credential stuffing is difficult to eliminate because criminals adapt to defensive measures quickly, often within 12 to 24 hours. They’re able to invest in rapid response because the profit margins are high. Defeating credential stuffing is very difficult for a single retailer in isolation—but is manageable as part of a network of allied retailers.

2) Creating Fake Accounts

With a fake account, a criminal can exploit stolen credit cards, defraud other users, reap new-customer perks, and much else. Creating fake accounts at scale requires either automation (i.e. programs that impersonate real users) or mechanical Turks (low-wage workers). Either way, the traffic flows through the same channels as legitimate new customer accounts.

The last thing a retailer wants to do is to muck up that channel—or introduce any sort of friction for new customers. That’s why a solution that protects against automated and manual fraud is critical. It can eliminate fake accounts without affecting real users at all.

3) Cracking Gift Cards

Gift card cracking occurs when criminals correctly guess a valid gift card number which has a non-zero balance. At that point, the criminals either transfer the balance to a card they control, or sell the card on a site like Raise.com or eBay.

How does the criminal guess a valid number? He gets a little help from the retailers. Every retailer operates a website or mobile app that allows customers to make purchases or check gift card balances. Criminals exploit these portals. They use programs that impersonate real users and try every possible gift card number. Soon enough, the criminal will have a trove of valid gift card numbers primed for crime.

Customer-selected PINs and other authorization steps have proven flimsy defenses—and so, retailers often face a difficult choice.  Many preventative measures create more friction for their customers. But with a real-time adaptive application defense system, retailers can actually block attacks without customers even realizing it.

Additional Reading

Here are some additional resources to help you stay ahead of the threats:

  • NIST provides digital identity guidelines on detecting stolen passwords
  • R-CISC is a community for cybersecurity practitioners in the retail industry
  • MRC is an industry association for e-commerce payment and risk professionals

To learn more about these threats, explore new attack techniques from the holiday season and best practices we observed from Top 10 Retailers, watch our Retail Threat Intelligence Briefing webinar on-demand.

Share this:

  • Twitter
  • Facebook

Like this:

Like Loading...
Author Shape SecurityPosted on February 9, 2018December 21, 2018Categories Shape Network, Threat LabTags account takeover, credential stuffing, fake account creation, gift card cracking, r-cisc, retail, Security Trends

Most Popular Posts

  • Intercepting and Modifying responses with Chrome via the Devtools Protocol
  • How Cybercriminals Bypass CAPTCHA
  • Pokémon Go API - A Closer Look at Automated Attacks
  • Detecting PhantomJS Based Visitors

Categories

  • Events (8)
    • 2015 (5)
    • 2016 (1)
    • 2018 (2)
  • Products (6)
    • Blackfish (3)
    • Shape Enterprise Defense (3)
  • Shape Buzz (4)
  • Shape Engineering (20)
    • Attacks (4)
    • Browsers (4)
    • Open-source (9)
    • Reverse engineering (2)
  • Shape Perspectives (23)
    • Best Practices (5)
    • Security Trends (19)
  • Threat Lab (14)
    • Credential Spill (2)
    • Credential Stuffing (6)
    • Shape Network (6)

Archives

  • LinkedIn
  • Twitter
  • LinkedIn
  • Twitter
Shape Security Blog
%d bloggers like this: