Retailers and the Credential Stuffing Crisis
Credential stuffing attacks — in which hackers use credentials exposed in prior breaches to attack new sites — are soaring, with 193 billion documented incidents globally in 2020. The pandemic is a primary driver behind this increase; the abrupt shift to remote work, creation of new online accounts, and increased reliance on e-commerce all provided hackers with ample opportunity to attack sites and use these newly leaked credentials to victimize more organizations.
In fact, compromised credentials are so desirable that they're now among the most sought-after hacker targets, according to the 2021 Verizon Data Breach Investigations Report, ahead of bank, medical and even personal data. To address and mitigate the domino effect of credential stuffing attacks, retailers must first understand this threat vector in greater detail and the unique industry variables that make the sector more vulnerable.
Poor Password Practices
Faced with an ever-growing array of digital accounts and services, consumers frequently create simple, easy-to-remember passwords. Retailers can mitigate some of the inherent vulnerabilities of weak passwords by implementing multifactor authentication (MFA), however, this is not a fail-safe solution as MFA still leaves some security gaps. In addition, consumers typically view MFA as burdensome and are frustrated when asked to complete an additional authentication step. Because this friction could lead to customer attrition and lost sales, it’s easy to see why retailers are unlikely to make MFA a requirement.
Password Reuse
In addition to deploying simple passwords for their e-commerce accounts, consumers typically reuse these passwords (or slight variants of the root phrase) across multiple sites. If any of these passwords have been exposed in a prior breach, it’s a guarantee that they're available for bad actors to purchase via the Dark Web. From there, a hacker could very easily launch a successful credential stuffing attack against any site in which the exposed password is still in use.
Automated Attacks
This brings us to how exactly credential stuffing occurs. Part of a category known as “brute force attacks,” credential stuffing is almost always carried out by an automated bot that hammers away at websites using exposed credentials until it finds one that sticks. Because this requires no technical skill, virtually anyone with a few hundred dollars to purchase the tools and data can launch a credential stuffing attack, successfully compromise online accounts, and make fraudulent purchases. It doesn’t even have to be high-value retail. For example, Domino’s Pizza, Starbucks, and Dunkin’ Donuts have all been hit with credential stuffing attacks. In addition, loyalty programs are also an increasingly common target of these campaigns. Given that this is such a low-risk, high-return opportunity for cybercriminals, it’s important that retailers address credential stuffing without introducing unnecessary friction.
Fighting Back Without Compromising the Customer Experience
As mentioned above, e-commerce providers must balance security considerations with consumers’ demand for a seamless digital experience. As such, one strategy for curtailing the success of credential stuffing attacks is deploying credential screening solutions to continuously check password integrity. However, because this screening takes place on the backend, consumers only become aware if a compromise is detected and they're prompted to take the appropriate action — whether it’s completing an additional authentication step like a one-time password (OTP) or creating a new password prior to login.
Of course, shoring up password security is just one step in combatting credential stuffing attacks. As with other security vulnerabilities, a layered approach is retailers’ best bet for staying protected, particularly as the credential stuffing threat is unlikely to fade in the foreseeable future.
Retailers are already facing enough challenges in the struggle to thrive in our digital-first world, so it’s imperative that they take steps today to combat the credential stuffing crisis. Otherwise, they risk being the next domino to fall and suffer the accompanying financial, brand and customer attrition consequences.
Josh Horwitz is chief operating officer at Enzoic, a cybersecurity and fraud detection solution.
Josh Horwitz is chief operating officer at Enzoic, a cyber-security and fraud detection solution.
Horwitz is an enterprise software executive and entrepreneur with over 25 years experience. He was the founder of the cloud-based, enterprise customer-marketing platform, Boulder Logic, whose clients included Microsoft, Siemens, Dell, and CSC. Josh grew the company as CEO over 46 consecutive profitable quarters and ultimately lead the company’s exit in 2015. Prior to founding his company, Josh held senior technology and sales positions with both start-ups and Fortune 500 companies, including IBM where he developed marketing programs to help build Lotus Domino to over 40 million users. Josh earned his MBA from Babson’s F.W. Olin Graduate School of Business and his BA from Washington University in St. Louis.
