How To Mitigate Account Takeover In Retail

RH-ISAC article featured on Retail IT Insights. The below is an excerpt from the article. For the full post, visit:

Online shopping is pervasive, especially as more and more retailers expand their digital commerce. While online shopping provides a multitude of benefits for both retailers and consumers, it also has created a new threat in the industry called account takeover (ATO) fraud.

ATO is the unauthorized access and control of a legitimate user account. By getting hold of a customers’ usernames and passwords, cybercriminals can use the hacked accounts to glean a lot of information. This information can be used to create new accounts, impersonate real customers and steal goods and services.

Like so many other types of fraud, ATO is increasingly committed at scale by bots. In fact, according to Akamai’s “State of the Internet Security” report, more than 40 percent of online login attempts are attackers trying to invade accounts. Hackers write scripts that test various combinations of stolen usernames plus potential passwords across multiple websites and apps, until they find a way in. This is called credential stuffing. These brute-force attacks are helping fraudsters move as quickly as possible and focus on maximizing the value of each successful ATO.

Impact On Retail & Hospitality

Since January 2018, at least 17 retail and hospitality companies were compromised and likely had account information stolen from them. The 2018 Credential Spill Report from cybersecurity firm Shape Security showed that 91 percent of the login attempts made on online retailers’ websites were hackers using stolen data. This startling statistic speaks to the unique challenges that retail and hospitality organizations face with balancing the need to secure their websites while maintaining minimal friction for customers who wish to shop online.

According to the credential spill report, an estimated 82 percent of login requests for hotels and hospitality online markets are attributed to credential stuffing. To better fit the needs of the customer, hotels have incorporated the use of mobile applications to streamline user experience during booking, check-in and even as a substitute for room keys. But this has significantly increased the attack potential for hospitality.

ATO not only wreaks havoc for victimized users, but can create serious damage to companies’ own brands, reputation and revenue stream. Retailers need a serious online fraud strategy to protect consumers and their organizations. Let’s now look at cyber criminals’ tactics and then some best practices for detention and response.

ATO Best Practices For Retail And Hospitality

ATO is an increasingly costly threat for retailers in the U.S. and worldwide. As education and awareness increases for cyber teams, customers and legitimate account owners, so does the capability and sophistication of cybercriminals. Key recommendations to consider include:

  1. Develop a plan and process
  2. Adapt and adjust your methodology
  3. Utilize your network
  4. Join an information sharing organization/fraud committee for support

Retail and hospitality organizations need to protect their business and their customers from ATO fraud. Cybercriminals are becoming more and more sophisticated and using automated botnets and other techniques to efficiently attack online retailers. For eCommerce companies to succeed digitally, it’s imperative to protect against ATO through a multi-pronged approach which includes sector collaboration.

Read the full article on Retail IT Insights:


More Recent Blog Posts