Protecting E-commerce Firms from Credential Stuffing and Credential Cracking

Account Takeover (ATO) attacks against the e-commerce industry are among the most harmful types of bot attacks in terms of financial and reputational damage. They result in user accounts being compromised to execute theft of account balances, including money, store credits, gift cards, and loyalty points. ATO attacks rely on lists of breached or stolen account credentials to take over user accounts on websites and applications operated by e-commerce and other industries with similar vulnerabilities.

The two main types of attacks employed in ATO are credential stuffing (multiple log-in attempts to verify the validity of stolen username and password combinations) and credential cracking (trying out different usernames and password combinations to identify valid log-in credentials). For e-commerce enterprises, these threats, along with phishing and social engineering tactics, constitute a clear and present danger to their businesses. With e-commerce industry revenues predicted to grow six-fold in the next three years, ATO attacks are expected to grow by leaps and bounds as hundreds of millions of new accounts are opened in emerging economies increasingly taking to online spending and digital transactions.

Botmasters execute ATO attacks using sophisticated, humanlike fourth-generation bots, such as making multiple hits from a single device ID using thousands of IP addresses, or using multiple device IDs using a single IP address, as shown in this example of an actual attempted bot attack in the figure below.

FOURTH-GENERATION BOTS ROTATE THROUGH THOUSANDS OF IP ADDRESSES AND DEVICE IDs TO EVADE DETECTION

Account takeovers and fraudulent transactions cost merchants dearly in terms of legal costs, interest, chargebacks, merchandise replacement, and various other expenses. Researchers have estimated that for every dollar lost through payment fraud in 2019, e-commerce merchants will incur total losses amounting to over three dollars, including legal costs, compensation to users, and loss of revenue.

For e-commerce businesses, the best way to stop credential stuffing and cracking is to deny cybercriminals any chance to carry out their attacks. Sophisticated visitor traversal and behavioral analysis by solutions such as Radware Bot Manager prevent fraud and ATO and provide essential protection to your customers and your enterprise. The growing impact of ATO attacks and the inability of conventional security systems in preventing them makes it crucial to implement specialized solutions that can detect and block automated attacks in real-time. This is why several impacted industries are ramping up their use of bot management solutions that are designed to detect and block bad bots to prevent ATO attacks and an array of harmful bot threats.

Originally published at https://www.shieldsquare.com on July 03, 2020.