August 2, 2018
Up to 90 percent of the login traffic on e-commerce sites are automated attempts to verify stolen username/password combinations, also known as “credential stuffing,” according to a new report. The 2018 Credential Spill Report from Silicon Valley cyber-defense company Shape Security is an examination of the source of compromised (i.e., “spilled”) login credentials, along with how and where bad actors are validating those credentials.
Account takeover and new account creation fraud—two of the fastest-growing fraud types affecting online merchants—rely on fraudsters obtaining valid passwords. In addition to being a primary target of ATO, online retailers are one of the major targets of the credential stuffing attacks that validate stolen logins. According to the report, e-commerce retailers collectively endure more than 130 million credential stuffing attacks per day resulting in nearly 660,000 account takeovers. The airline and hotel industries also are facing significant credential stuffing attacks leading to ATO, the report found.
The report also described how, in an effort to meet all the ways customers want to engage with them, retailers’ move to omnichannel environments is exacerbating the ATO problem.
“Credential stuffing attackers have benefitted from the rise in omnichannel services,” the report said. “One of the biggest opportunities for fraud is the gap between online and offline retail created by omnichannel services. Fraudsters can use hijacked online accounts to more easily monetize previously stolen merchandise from physical storefronts, as well as purchase merchandise online which they then monetize in stores.”
More than 2.3 billion credentials were compromised in 2017, according to the analysis.