How To Mitigate Account Takeover In Retail

By Alexandra Brown, Retail & Hospitality ISAC

Online shopping is pervasive, especially as more and more retailers expand their digital commerce. While online shopping provides a multitude of benefits for both retailers and consumers, it also has created a new threat in the industry called account takeover (ATO) fraud.

ATO is the unauthorized access and control of a legitimate user account. By getting hold of a customers’ usernames and passwords, cybercriminals can use the hacked accounts to glean a lot of information. This information can be used to create new accounts, impersonate real customers and steal goods and services.

Like so many other types of fraud, ATO is increasingly committed at scale by bots. In fact, according to Akamai’s “State of the Internet Security” report, more than 40 percent of online login attempts are attackers trying to invade accounts. Hackers write scripts that test various combinations of stolen usernames plus potential passwords across multiple websites and apps, until they find a way in. This is called credential stuffing. These brute-force attacks are helping fraudsters move as quickly as possible and focus on maximizing the value of each successful ATO.

Impact On Retail & Hospitality

Since January 2018, at least 17 retail and hospitality companies were compromised and likely had account information stolen from them. The 2018 Credential Spill Report from cybersecurity firm Shape Security showed that 91 percent of the login attempts made on online retailers’ websites were hackers using stolen data. This startling statistic speaks to the unique challenges that retail and hospitality organizations face with balancing the need to secure their websites while maintaining minimal friction for customers who wish to shop online.

According to the credential spill report, an estimated 82 percent of login requests for hotels and hospitality online markets are attributed to credential stuffing. To better fit the needs of the customer, hotels have incorporated the use of mobile applications to streamline user experience during booking, check-in and even as a substitute for room keys. But this has significantly increased the attack potential for hospitality.

ATO not only wreaks havoc for victimized users, but can create serious damage to companies’ own brands, reputation and revenue stream. Retailers need a serious online fraud strategy to protect consumers and their organizations. Let’s now look at cyber criminals’ tactics and then some best practices for detention and response.

Cybercriminal Tactics To Hack Into Accounts

ATO attacks occur when cybercriminals access real user accounts to access valuable information like financial data. To obtain legitimate user credentials, adversaries may use a myriad of tactics and attack vectors including:

• Phishing: targeted cyberattack sent via email attempting to lure account owner to reveal personally identifiable information (PII)
• Social Engineering: methodology for misleading individuals to reveal sensitive/confidential information via phone, email or in-store
• Credential Stuffing: using a list of stolen credentials to gain unauthorized access to user accounts
• Brute-forcing: submitting and systematically checking many potential passwords in an attempt to crack password codes
• Session Hijacking: obtaining unauthorized access to a valid user session in an attempt to exploit information
• Exploiting Vulnerabilities: finding specific web application flaws to gain access to customer database

What Happens To Hacked Information?

Cybercriminals monetize information stolen or discovered from ATO attacks either through conducting subsequent fraudulent activity themselves with the stolen information or by selling compromised accounts or payment data to other cybercriminals.

Cybercriminals monetize information from ATO attacks in a variety of ways: 

• Ordering goods or merchandise online or in-store with compromised customer account information to later resell or return in exchange for cash or gift cards
• Purchasing gift cards to be delivered electronically
• Stealing gift cards and other payment data stored in an account to sell to other cybercriminals
• Acting as a reseller, selling compromised accounts or duplicate payment cards to other cybercriminals
• Redeeming customer rewards points for goods or services

From large-scale organized criminal operations operating out of Eastern Europe to local crime rings, resale of stolen or fraudulently purchased goods is a prime factor in the persistent targeting of retail and eCommerce customer accounts. Cybercriminals need the ability and funds to acquire desirable goods, and pass to an intermediary, to reship products or pass to an aggregated reshipping service -- often to less regulated overseas locations.

Identifying And Prioritizing Areas For Response

Retail and hospitality organizations can protect against ATO attacks by addressing the multiple types of accounts as well as the multiple methods that accounts may be accessed. Mapping these out is the first step to protection. Each type of account may have different levels of business risk. This may include:

• Regulatory – Such as payment card data and personal identifiable information handling
• Fraudulent activity – Products and services as well as potential theft or fraud against a customer
• Reputational damage – Such as impacts to brand perception
• Loss of consumer confidence – Perception of poor security may reduce consumer loyalty
• Lost revenue – Earnings before interest, tax, depreciation and amortization (EBITDA) may be directly impacted by other areas of business risk

Incident response processes should be aligned directly with the business risk. Response for accounts taken over with higher risk may require increased process and timeliness. Some activities, such as failed login attempts, are identified as only security events with no quantifiable business risk and have minimal or no response processes.

Post-Incident Activity

Retail and hospitality cybersecurity teams should conduct regular reviews of account takeover remediation. This should consist of the following:

• Trends or other patterns
• Accounts of higher value to criminals (such as VIP)
• Efficacy of current processes

The goal of regular review is to develop new methods for prevention, efficiency in response, and overall business risk reduction.

Teams may also consider writing lessons-learned reports. These reports provide an executive overview of what happened, what was impacted, and what needs to be done so that a vulnerability or attack doesn’t occur again. Recommendations should be defined, tracked and provided to teams for remediation. If an attack happens again, teams can resort back to the lessons learned report to verify what recommendations were not applied.

Best Practices For Retail And Hospitality

ATO is an increasingly costly threat for retailers in the U.S. and worldwide. As education and awareness increases for cyber teams, customers and legitimate account owners, so does the capability and sophistication of cybercriminals. Key recommendations to consider include:

1. Develop a plan and process: Work across departments to audit each potential end-point for an attack and develop a tracking system based off of behaviors and technological indicators at each spot on the kill chain. Once you understand your vulnerabilities and which data is important, you can implement analytical tools for ATO, setup scripts to monitor common brute-forcing or account checking tools, and begin to establish a framework for how your organization tracks actors. Make incident responses plans proactively, and if and when an attack occurs, write up a lessons-learned report that can be referenced during future incidents.
2. Adapt and adjust your methodology: Protecting against ATO attacks is inherently reactive, so cyber intel and fraud teams must continually iterate and restructure tools and methods to increase barriers of protection and limit or eliminate monetization opportunities to deter reoccurring attacks. Focus on ways to disrupt attacker progress by looking at tactics and techniques, mitigating low-level activities, and observing exploit techniques. Act quickly to stop persistent attackers from pivoting, monitor your logs and remain vigilant.
3. Utilize your network: No two ATO attacks are the same, but sharing and collecting intelligence from retail peers, law enforcement and organizations can help increase organizational understanding, ownership and preparedness. Know your local FBI and DHS affiliates and establish a process for outreach. Ask questions to your peers in trust groups and circles and educate your cross-departmental teams on available resources.
4. Join an information sharing organization/fraud committee for support: Consider joining a sector specific sharing organization where members and other cybersecurity stakeholders share information on cyber risks. There are a few to pick from and by sharing threat intelligence among your peers encourages sector-wide collaboration and engagement and helps its members to better protect themselves against threats. There are also specific fraud committees that you can join to help mitigate losses and the effect of fraud on customers by defining and targeting specific issues within the cyber-fraud space.

Retail and hospitality organizations need to protect their business and their customers from ATO fraud. Cybercriminals are becoming more and more sophisticated and using automated botnets and other techniques to efficiently attack online retailers. For eCommerce companies to succeed digitally, it’s imperative to protect against ATO through a multi-pronged approach which includes sector collaboration.

About The Author

Alexandra Brown focuses on directing programs and developing content catered to the cybersecurity community. Currently, she serves as program manager at the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC), where she develops content especially for the RH-ISAC membership. As a member of the Membership Engagement Team, Brown focuses upon membership events, webinars, and training tools and is a primary resource for RH-ISAC’s trusted communities and working groups. Prior to RH-ISAC, Brown worked at Kavi Corporation as an implementation consultant and Evanta as a content director.