It can happen to you. Don’t wait until it does to consider protecting your business. Thomas Platt, Head of eCommerce at Netacea explains why.
According to researchers at RiskBased Security, around 16 billion records have been exposed so far this year. However, there’s still a common misconception that as long as your company hasn’t fallen victim to a breach, there’s no need to worry. This couldn’t be further from the truth. Data breaches are every retailers’ problem. And as the summer sales ramp up, they are set to become an even bigger problem.
Once a data breach has happened, and confidential information can be accessed, hackers collect and sell these breached credentials on the dark web. Now, manually inserting different usernames and passwords won’t yield results. But a bot is capable of checking 1000s of username and password combinations each minute. After the bots have discovered a successful match, hackers are able to purchase what they wish, leaving the unknowing consumer to foot the bill – a technique known as credential stuffing.
But this is not the only way hackers use breached data. If credit card information is leaked, many hackers use card cracking bots to create fake profiles and buy goods with these stolen credit card details; the idea is to go through a list of stolen credit cards and find those that are still valid. Again, doing this manually is impossible, but bots not only make this process simple, but hugely profitable.
If consumers have a problem, so do retailers
Many might still be thinking well, this sounds like a consumer problem, how does breached data affect retailers? Well, compromised usernames and passwords quickly become retailers’ problem when their customers feel the effects.
Firstly, if breached customer details are used on a retailer’s website it will impact user trust. Regardless of how the breach came about, every customer affected is likely to lose trust in that company and think twice about purchasing from them again. They may even actively deter friends and family from ordering. For retailers, many of whom depend on loyal customers and are competing in crowded marketplaces, a loss of trust can lead to a significant revenue loss.
Secondly, reputational damage tends to occur as customers believe it is in fact the retailer’s fault for not blocking the fraudulent transaction. Nowadays, consumers expect retailers to have sophisticated cybersecurity defenses in place. When breached data is used in transactions, it makes consumers question just how important they, and their data, are to a brand.
As we move further into the summer sales season, and more customers are opting to buy online, retailers must be wary of fraudsters taking advantage of increased sales and high levels of online activity. Fraudsters will be hoping that the increase in sales will defer attention away from their credential stuffing and card cracking bots. However, if these bots are not stopped, it’s retailers who will feel the backlash.
What’s the answer?
So, how can retailers prevent hackers from using bots to launch credential stuffing and card cracking attacks? The initial step is to look at the fundamental flaw with traditional methods of bot detection and mitigation. By only focusing on making humans prove they are not bots through techniques like CAPTCHA, where a human has to perform a task such as selecting the right photos, there’s not only a risk of blocking good bots, such as search engine bots, but are also missing the sophisticated attacks that might appear human-like in behaviour.
The answer is to ask a different question. Rather than asking “is this a human or a bot?” retailers need to focus on intent and ask “what is this visitor doing?” They must analyse what an average user journey looks like, and then consider what an unusual journey or behaviour could look like. Customers are likely to forget their password and username combination a couple of times—but not ten thousand times. Focusing on the intent of their website traffic by looking at user journeys, is key. And in times of peak traffic, retailers must be analysing their customers journeys in more detail than before.
Web logs facilitate this analysis, allowing retailers to build a profile of the way users interact with their online account to determine their intent. While attackers can mask their behaviour to appear human-like, they cannot easily disguise their intention.
When reframing the question to focus on intent, retailers no longer need to invade a user’s privacy by introducing additional intrusive code to a website. This means they can be more accurate in stopping highly sophisticated attacks and ensure that another business’s data breach does not become their problem, whilst also giving their customers a better experience.