Back End News

Enterprise and Consumer Technology

Saturday, September 23rd, 2023

Menu

  • Home
  • News
    • 5G
    • Analytics
    • AI
    • Apps
    • Blockchain
    • Cloud
    • Cryptocurrency
    • Cybersecurity
    • Data
    • Data Privacy
    • e-commerce
    • Fintech
    • Hardware
    • ICT
    • IoT
    • Software
    • Startup
    • Telecommunications
    • Consumer
      • Automotive
      • Devices
      • Gaming
      • Internet
      • Media Release
  • Business
    • Business Features
    • CSR
    • Movements
    • Reports
  • Reviews
  • Special Report
  • Sponsored
    • Shop Now!
  • About
  • Contact
  • Services

Follow Us

  • LinkedIn
  • Twitter
  • Facebook
  • Instagram

Our Services – Talk to us.

SME, Small Business, small and medium enterprises

Photo by Anthony Shkraba on Pexels.com

Top Posts

  • Xiaomi's Redmi 12 hits the PH market
    Xiaomi's Redmi 12 hits the PH market
  • GoTyme Bank aims to unlock Filipinos' financial potential
    GoTyme Bank aims to unlock Filipinos' financial potential
  • Globe launches digital-only prepaid eSIM
    Globe launches digital-only prepaid eSIM
  • Alibaba beefs up DingTalk messaging app for Hangzhou Asian Games
    Alibaba beefs up DingTalk messaging app for Hangzhou Asian Games
  • Xiaomi announces Redmi 10 in the Philippines
    Xiaomi announces Redmi 10 in the Philippines
News

Online shoppers are susceptible to credential stuffing

By Marlet D. Salazar on October 23, 2018

Content delivery network firm Akamai Technologies’ State of the Internet / Security Credential Stuffing Attacks report show that it “detected approximately 3.2 billion malicious logins per month from January through April 2018, and over 8.3 billion malicious login attempts from bots in May and June 2018 — a monthly average increase of 30 percent. In total, from the beginning of November 2017 through the end of June 2018, Akamai researcher analysis shows more than 30 billion malicious login attempts during the eight-month period.”

In the middle of these threats is the continuously thriving e-commerce industry, which is expected to attract more customers as the holiday season gets closer.

The online retail platform is gaining momentum in Asia with an estimated revenue of over $800 million in 2018, according to Statista. Its expected annual growth of 11.5 percent is expected from this year to 2022 while the average revenue per user currently amounts to almost $500.

Data for sale

These figures draw hackers to constantly try to steal login credentials using botnets and when successful, either sell them on the dark web or use them for their own malicious purpose such as committing fraud.

Along with e-commerce sites, criminals also continue to target banks or financial institutions because there is a “lot of financial gains” that criminals were able to get from it, said Fernando Serto, head of Security Technology and Strategy Asia-Pacific at Akamai.

Online retailers that continue to become targets may incur losses of hundreds of thousands of dollars a day from bank fraud.

Serto explained how criminals have constantly “innovate” their methods of attacks.

“We started to notice that the same organizations were being targeted by different attackers,” he said. “There was another bank that was being targeted by three different botnets with very different characteristics. One of them, which was probably the most vicious one, is pacing itself instead of sending a lot of requests, which was quite normal until recently.”

The reason for this, Serto said, is because by pacing it will not launch the security alerts which are in place. These alerts are programmed to pick up suspicious and continuous log-in attempts.

“If you look into the span of six days which is the data that we analyzed,” Serto said, “they were coming from thousands of different IP addresses but the frequency of these logins is so low that a lot of the alerting systems the banks have won’t have picked it up because it’s minuscule.”

These malicious login attempts result from credential stuffing, according to Akamai report, “where hackers systematically use botnets to try stolen login information across the web. They target login pages for banks and retailers on the premise that many customers use the same login credentials for multiple services and accounts.”

Credential stuffing is basically an account takeover where criminals use the stolen data to commit fraud “on the victim’s behalf.”

Credential stuffing

Jonathan Tan, marketing manager of Akamai in Asean, explained that when someone gets hold of at least one of a consumer’s log-in credential, which was bought in the dark web, the criminal will try to use it across all of the victim’s accounts. The chances of a log-in credential used in an e-commerce site and in a banking site are quite high. He said that human psychology dictates consumers maintain “five or six sets of logins and passwords” and criminals will try each one to every account until they are able to get in.

Serto said they also noticed that many of the attacks are “coming from mobile apps.”

Many of the online retailers have launched their own shopping apps to give customers the best possible and convenient shopping experience.

“People (sellers) suddenly transition from having a website or portal on the internet where people access on their laptops to having mobile apps because of the high mobile device penetration,” he said. “The problem with that is it is a lot more difficult to protect mobile apps than it is with websites.”

Serto explained how it is more difficult to protect mobile apps than protecting websites.

“Websites have been around for a lot longer than mobile apps,” he said. “The challenge to the users is not really which way they are going to be safer because the data on the back end is the same” but enterprises need to ensure consumer data must be protected.

“APIs (Application programming interface) have a big problem today with mobility,” he said. “We’re helping customers to automate a lot of their security capabilities to be able to mitigate effectively attacks not only by inspecting every API request but also through our API gateway, which we launched earlier this year. We are not only looking into potentially threatening API calls but we’re also allowing customers to do authorization or authentication of APIs and we do a lot of caching as well to speed up a lot of mobile apps.”

Multi-factor authentication

End users can help protect their accounts by simply enabling multi-factor authentication (MFA) or a security measure that will verify an individual’s log-in attempts through several methods such as SMS or email verification.

Serto strongly advises users to use MFA. However, he warned people in using SMS for authentication.

“There are different types of multi-factor authentication,” he explained. “If you have the option to use SMS vs any other way, I would choose any other way because it is very easy to impersonate someone and clone a SIM card.”

He also said that using randomized token is also more preferred than using SMS for log-in verification.

On the enterprises’ part, Serto said Akamai built “an infrastructure in front of any applications that are exposed on the internet,” which include web applications firewall, bot management, and bot detection.

In the Akamai report, it explained how a company is able to reduce account takeovers of a customer to just one to three per month just by putting behavioral-based bot detections in front of every consumer login endpoint.

“We allow retailers to even choose how they want to respond to bots,” he said.

He explained how, for example, an airline who has an ongoing fare promotion can give a totally different pricing between a real human being and a botnet. This is to protect businesses not only from someone breaking in and steal information but also from the competitive perspective.

Using a botnet detection program can help companies prevent malicious log-in attempts that may lead to account takeovers once hackers were able to steal consumer data. The bots are programmed to respond to different hacking behaviors where actors also use bad bots.

The number of online shoppers is expected to increase in the coming months and the enormity of the number of transactions may seem overwhelming to online retailers. Companies and its security vendor partners are also expected to step up their security measures not only to protect consumer data but also to prevent business losses in the event of any data breach.

Image from Pixabay

SHARE

  • Click to share on Facebook (Opens in new window)
  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to share on Tumblr (Opens in new window)
  • Click to share on Pinterest (Opens in new window)
  • Click to share on Telegram (Opens in new window)
  • Click to share on Pocket (Opens in new window)
  • Click to share on WhatsApp (Opens in new window)
  • More
  • Click to email a link to a friend (Opens in new window)

Related Stories

Categories: News

Tagged as: Account takeover, Akamai, botnets, Cloud, Credential Suffing, Cybersecurity, Data Privacy

Post navigation

Internet users now at 4.2 billion; 6 countries average 100 Mbps on broadband speed — report
Emerging technologies AI, blockchain, digital assistants will accelerate cloud adoption
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright 2018-2023 Back End News

Categories

  • Top categories: News Smart
Contact | |