The Hottest Trend in Retail: Password Theft

By Mike Wilson

Retail shrinkage accounts for $94.5 billion in losses annually for the U.S. retail industry. However, it's not the only theft the sector needs to worry about. The 2024 Verizon DBIR found that credentials are the most frequently breached data in the retail industry. Cybercriminals continue to focus on stealing credentials due to the ease of obtaining them and because password reuse remains an evergreen problem. This is why compromised credentials have appeared in 31 percent of all breaches over the last decade and seemingly never go out of fashion.

Retailers face a barrage of challenges as they strive to deliver seamless experiences, and technology innovation is now a foundation for success. Therefore, it’s imperative that the industry take steps to combat the credential problem. Otherwise, brands risk being the next victim of a successful breach and the resulting financial, reputational and customer attrition consequences.

Passwords: The Weak Link

Compromised credentials remain in style due to poor password practices. Consumers have so many digital accounts now that they often create simple, easy-to-remember passwords. In addition, they tend to reuse or make a slight edit to a root password across multiple websites. This means that if an individual’s password has been exposed in an earlier breach, it will be available on the Dark Web for hackers to buy. They can then launch a credential-stuffing attack against any website in which the exposed password is still in use.

Credential Stuffing 101

These are automated incidents, often referred to as “brute force attacks,” in which the bot takes the exposed credentials and targets websites until it gains entry. This tactic is low cost and easy to deploy. Once an account is breached, the bad actor can steal credit card information, make fraudulent purchases, or tap into loyalty points. There are also indirect costs for restoring affected accounts and systems.

Rather than relying on consumers to change their behavior, retailers must take steps to reduce the risk from compromised credentials without adding too much friction for shoppers.

1. Make MFA mandatory.

By adopting multifactor authentication (MFA), brands can mitigate some of the inherent vulnerabilities of weak passwords. However, MFA doesn't provide immunity, so it must be part of a layered authentication strategy. Additionally, it does add friction for the consumer, so it's important to explain the benefits to users.

2. Adopt modern password policies.

Retailers should update their policies to follow the NIST recommendations, mandating strong, unique passwords that only require a change if exposed. This removes the friction from enforcing periodic updates.

3. Continuously screen for compromised credentials.

As the volume of compromised credentials grows, every time a breach occurs it’s vital to check password integrity and continuously monitor for exposure. This allows retailers to block login attempts using compromised information until the consumer changes their password. Another advantage of this tactic is that the screening runs in the background, with customers only becoming aware of the security measure when a compromise is detected; they're then prompted to take the appropriate action, such as completing an additional authentication step or creating a new password prior to login.

4. Implement bot detection and throttling.

Integrating a bot detection tool can block credential stuffing attacks by analyzing behavioral patterns, device fingerprinting, and other factors to distinguish between humans and malicious machines. Another layer to consider is throttling, which restricts the number of logins from an IP address. However, it’s important to allow enough attempts to avoid adding too much friction to the buying journey.

With compromised credentials the gift that keeps on giving for cybercriminals, retailers must take action to minimize the risk of a breach — the fallout from which can damage their reputation and erode customer trust. Additionally, they may incur regulatory fines for failing to meet GDPR requirements. By adopting the four recommendations as part of a layered authentication strategy, brands can avoid falling victim to a credential-stuffing attack.

Mike Wilson is the chief technology officer of Enzoic Software, a provider of threat intelligence solutions.

0 Comments

View Comments

Mike Wilson Author's page

Mike has spent 20 years in software development, with 12 years specifically in the information security space, at companies like Webroot and LogicNow.

At Webroot, Mike led the development of Spy Sweeper, Webroot's industry-leading anti-spyware product, and later the development of Webroot's first mobile security product for smartphones. At LogicNow, he again led the development of an anti-malware product, this time introducing enhanced antivirus and web filtering functionality to the Managed Service Provider (MSP) space.

Mike started his career in the high-security environment at NASA, working on the mission control center redevelopment project.

Apart from his security experience, Mike also founded several successful startups over the years.