By Alexandra Brown, Retail & Hospitality ISAC
Online shopping is pervasive, especially as more and more retailers expand their digital commerce. While online shopping provides a multitude of benefits for both retailers and consumers, it also has created a new threat in the industry called account takeover (ATO) fraud.
ATO is the unauthorized access and control of a legitimate user account. By getting hold of a customers’ usernames and passwords, cybercriminals can use the hacked accounts to glean a lot of information. This information can be used to create new accounts, impersonate real customers and steal goods and services.
Like so many other types of fraud, ATO is increasingly committed at scale by bots. In fact, according to Akamai’s “State of the Internet Security” report, more than 40 percent of online login attempts are attackers trying to invade accounts. Hackers write scripts that test various combinations of stolen usernames plus potential passwords across multiple websites and apps, until they find a way in. This is called credential stuffing. These brute-force attacks are helping fraudsters move as quickly as possible and focus on maximizing the value of each successful ATO.
Impact On Retail & Hospitality
Since January 2018, at least 17 retail and hospitality companies were compromised and likely had account information stolen from them. The 2018 Credential Spill Report from cybersecurity firm Shape Security showed that 91 percent of the login attempts made on online retailers’ websites were hackers using stolen data. This startling statistic speaks to the unique challenges that retail and hospitality organizations face with balancing the need to secure their websites while maintaining minimal friction for customers who wish to shop online.
According to the credential spill report, an estimated 82 percent of login requests for hotels and hospitality online markets are attributed to credential stuffing. To better fit the needs of the customer, hotels have incorporated the use of mobile applications to streamline user experience during booking, check-in and even as a substitute for room keys. But this has significantly increased the attack potential for hospitality.
ATO not only wreaks havoc for victimized users, but can create serious damage to companies’ own brands, reputation and revenue stream. Retailers need a serious online fraud strategy to protect consumers and their organizations. Let’s now look at cyber criminals’ tactics and then some best practices for detention and response.
Cybercriminal Tactics To Hack Into Accounts
ATO attacks occur when cybercriminals access real user accounts to access valuable information like financial data. To obtain legitimate user credentials, adversaries may use a myriad of tactics and attack vectors including:
What Happens To Hacked Information?
Cybercriminals monetize information stolen or discovered from ATO attacks either through conducting subsequent fraudulent activity themselves with the stolen information or by selling compromised accounts or payment data to other cybercriminals.
Cybercriminals monetize information from ATO attacks in a variety of ways:
From large-scale organized criminal operations operating out of Eastern Europe to local crime rings, resale of stolen or fraudulently purchased goods is a prime factor in the persistent targeting of retail and eCommerce customer accounts. Cybercriminals need the ability and funds to acquire desirable goods, and pass to an intermediary, to reship products or pass to an aggregated reshipping service -- often to less regulated overseas locations.
Identifying And Prioritizing Areas For Response
Retail and hospitality organizations can protect against ATO attacks by addressing the multiple types of accounts as well as the multiple methods that accounts may be accessed. Mapping these out is the first step to protection. Each type of account may have different levels of business risk. This may include:
Incident response processes should be aligned directly with the business risk. Response for accounts taken over with higher risk may require increased process and timeliness. Some activities, such as failed login attempts, are identified as only security events with no quantifiable business risk and have minimal or no response processes.
Retail and hospitality cybersecurity teams should conduct regular reviews of account takeover remediation. This should consist of the following:
The goal of regular review is to develop new methods for prevention, efficiency in response, and overall business risk reduction.
Teams may also consider writing lessons-learned reports. These reports provide an executive overview of what happened, what was impacted, and what needs to be done so that a vulnerability or attack doesn’t occur again. Recommendations should be defined, tracked and provided to teams for remediation. If an attack happens again, teams can resort back to the lessons learned report to verify what recommendations were not applied.
Best Practices For Retail And Hospitality
ATO is an increasingly costly threat for retailers in the U.S. and worldwide. As education and awareness increases for cyber teams, customers and legitimate account owners, so does the capability and sophistication of cybercriminals. Key recommendations to consider include:
Retail and hospitality organizations need to protect their business and their customers from ATO fraud. Cybercriminals are becoming more and more sophisticated and using automated botnets and other techniques to efficiently attack online retailers. For eCommerce companies to succeed digitally, it’s imperative to protect against ATO through a multi-pronged approach which includes sector collaboration.
About The Author
Alexandra Brown focuses on directing programs and developing content catered to the cybersecurity community. Currently, she serves as program manager at the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC), where she develops content especially for the RH-ISAC membership. As a member of the Membership Engagement Team, Brown focuses upon membership events, webinars, and training tools and is a primary resource for RH-ISAC’s trusted communities and working groups. Prior to RH-ISAC, Brown worked at Kavi Corporation as an implementation consultant and Evanta as a content director.