Fraud on the Rise: Credential Stuffing
The world’s fifth largest retailer falls victim to credential stuffing attack orchestrated by hackers.
TESCO, the world’s fifth largest retailer, announced a plan to re-issue over 600,000 of its loyalty Clubcards after what appears to have been a credential stuffing attack on its website1. No financial information was lost, though it does appear that some Clubcard points, the vouchers used for various discounts and purchases within the store, its website and partners, were compromised.
So how did this happen? How could hackers possibly break the username and password combinations of over 600,0000 customers?
First, it’s important to understand where the concept of a username and password came about. Most sources pinpoint a computer system known as the Compatible Time-Sharing System (CTSS)2 that was in operation at MIT between 1961 and 1973. That’s nearly six decades ago, so it’s an old concept, one that most security experts view as not sufficiently secure enough to protect what is ever more valuable: customer data.
And in answer to the how question, well the simple answer is that they didn’t hack those accounts. What they did was exploit an inherent weakness that exists in virtually every single outdated username and password combinations, and it’s this:
It’s been reported that more than 90% of consumers use the same username and password for every single account they own.
Related reading: How to Identify Five Account Takeover Scenarios
On the face of it, it makes sense. Why would the average person choose a distinct combination for every account? For example, most people I know use their personal email as a username and the same password for virtually everything. During the course of writing this blog, I took a quick look at my mobile device whilst writing this piece. Alarmingly, I have over 30 accounts, and I am pretty confident that they all have the same credentials.
There are large lists of username and password combinations available on the web, both the dark web and some sites on the open Internet. Often for sale, these lists of credentials are used by fraudsters to exploit the inherent username/password weakness against large lists of target websites.
In summary, the organization hosting the account really has done nothing wrong. They have not released any details, nor have they knowingly risked their customers account information. However the end result remains the same;
- Bad publicity
- Bad experience for their customers
- Financial loss associated with ordering from customer accounts and resulting chargebacks
- Fraudsters gleaning personal details from the customer information stored within their profiles
- Abuse of loyalty cash, points or privileges
So how can organizations stop this?
Well, assuming that hackers will continue to infiltrate systems to uncover large lists of user credentials and make them available online, organizations must take a defensive stance. Companies need to take a layered approach to detect and prevent fraud which should include:
- Identifying high levels of activity from a single location/IP address
- Detecting copy and paste attempts at a login page
- Identification of bot activity
- A statistical deviation in the number of attempted logins
- Anomalies in the device or connection, i.e., does the device say it’s an iPhone but detection suggests it’s a linux server
Ecommerce fraud prevention solutions that leverage these tactics can help detect credential stuffing attacks while they are in progress, giving you the opportunity to stop the attempts and protect your customers’ data.
And for us personally, what can we do to hinder the bad actors?
Related reading: 3 Ecommerce Fraud Prevention Best Practices for Retailers
We need to break the habit of our online lifetimes:
- Change your passwords regularly
- Use different passwords for different sites
- Or better yet, use a password tracker service