Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Account For 90 Percent of Login Attempts At Online Retailers (qz.com)

Posted by BeauHD on from the big-business-for-hackers dept.

Hackers account for 90% of of e-commerce sites' global login traffic, according to a report by cyber security firm Shape Security. They reportedly use programs to apply stolen data acquired on the dark web -- all in an effort to login to websites and grab something of value like cash, airline points, or merchandise. Quartz reports: These attacks are successful as often as 3% of the time, and the costs quickly add up for businesses, Shape says. This type of fraud costs the e-commerce sector about $6 billion a year, while the consumer banking industry loses out on about $1.7 billion annually. The hotel and airline businesses are also major targets -- the theft of loyalty points is a thing -- costing a combined $700 million every year.

The process starts when hackers break into databases and steal login information. Some of the best known "data spills" took place at Equifax and Yahoo, but they happen fairly regularly -- there were 51 reported breaches last year, compromising 2.3 billion credentials, according to Shape. Taking over bank accounts is one way to monetize stolen login information -- in the US, community banks are attacked far more than any other industry group. According to Shape's data, that sector is attacked more than 200 million times each day. Shape says the number of reported credential breaches was roughly stable at 51 last year, compared with 52 in 2016. The best way consumers can minimize these attacks is by changing their passwords.

33 comments

  1. Password: cApta1n0b-V-u5 by Tablizer · · Score: 1

    Hackers keep trying different variations, usually using bots. The quantity does not surprise me.

    --
    Table-ized A.I.
    1. Re: Password: cApta1n0b-V-u5 by Anonymous Coward · · Score: 0

      Although 90% seems like a high number, I'm surprised it's this low.

  2. Kohl's by omnichad · · Score: 2

    The Kohl's web site is utterly broken. Every time they have a sale, your account gets locked due to too many password attempts. You literally have to reset your password almost every time you use it. Why you would lock an account entirely instead of rate limiting it blocking the overseas IP addresses involved, I have no idea.

    1. Re:Kohl's by omnichad · · Score: 1

      Regardless, this doesn't seem to happen in any other retail site. There's clearly some mitigation option better than letting every account get locked. Also, the IPv4 address space is relatively small compared to potential passwords - they probably don't even handle IPv6.

    2. Re:Kohl's by olsmeister · · Score: 1

      Seems like they could do something that makes you prove you're a person before asking for login credentials.

    3. Re:Kohl's by Anonymous Coward · · Score: 0

      Yeah, T-Mobile has a setup where they lock your account for 24 hours. So if you have to check something, make a change, or pay your bill you forgot about, you have to call in.

      Of course, calling in means you have to wait on hold for 30 minutes on average. And enter your pass code, which is some ridiculous 20 digit or something number no one reasily remembers so yo u have to dig that up.

      All because, like you suggest, they cannot rate limit attempts, or choose a shorter window, like 3 failures in 15 minutes, 5 in an hour, etc.

  3. Re:Fhirstz Potski by Tablizer · · Score: 1

    That his toupee size?

    --
    Table-ized A.I.
  4. This is really, really old news... by gweihir · · Score: 1

    And has no surprise-factor at all. Basically anything that accepts log-ins from the Internet gets between a few and a few 1000 every minute. This may or may not get better with IPv6, but with IPv4, the whole net is scanned all the time.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  5. Matches my data (millions of attempts) by raymorris · · Score: 2

    I owned the company that built the login system which was used by most of the successful porn sites (as well as other sites), so I had opportunity to analyze many millions of attempts. 90% or higher seems about right.

    1. Re: Matches my data (millions of attempts) by Anonymous Coward · · Score: 0

      Did you actually save the attempts and use them to strengthen the system? The feedback loop of repeated failed attempts may be useful for training the system to recognise weak credentials by building a rainbow table of hashes to compare against and not all very common ones to be reused.

    2. Re:Matches my data (millions of attempts) by Anonymous Coward · · Score: 0

      So, logically, you should just block 90% of login attempts.

  6. That's it? by cascadingstylesheet · · Score: 1

    Only 90%??

  7. Best way says who? by arth1 · · Score: 1

    The best way consumers can minimize these attacks is by changing their passwords.

    No, that is not necessarily the best way. Why this unsubstantiated claimm?
    Not creating an account in the first place and using a guest checkout is arguably better. So is switching to sites that offer better protection, like 2-factor authentication or having to call in the CVV.

  8. 200 million a day? Oh my. by Arzaboa · · Score: 2

    There are so many hack attempts, that when I try to create a new account, the first email I receive tells me that my account is locked due to too many failed logins.

    --
    Whats up doc? - B. Bunny

  9. I'm not believing. by pubwvj · · Score: 1

    I'm not sure I believe the problem to be as bad as people are making out.

    I shop online for almost everything because I live out in a very rural area. There are no local stores. As a result I have accounts at a great many online retailers. I have not had problems.

    I'm not saying the problem doesn't exist, just that I think it is getting exaggerated.

    I also have an online store for my business. I have no cases of hackers doing login attempts or trying to purchase other than the obvious ones which get filtered out automatically before they ever get to the purchase. I'm just a little guy. I'm sure the big stores use far better filter technology.

    1. Re:I'm not believing. by omnichad · · Score: 1

      The big stores are far more likely to be bolting ecommerce onto an older homegrown system rather than being able to use an out-of-box solution on its own. Toys R Us / Babies R Us forced your contact information into all-caps (even up to the end), for one example.

    2. Re:I'm not believing. by gordguide · · Score: 1

      I have done a lot of online purchasing, and starting fairly early in the game, before the new millennium, and plenty since. Some years it exceeded five figures.

      I only had one problem, where a small vendor was the victim of a php injection attack. I noticed it but it didn't "click" that I was being served a lookalike page to enter my CC details. When the transaction didn't go through, it dawned on me what was going on.

      My CC company (VISA) caught the suspicious activity on my card fairly quickly ... the thieves apparently tried three transactions, and they denied the second and third. The first (and when I talked to VISA, they said it was very common) was to pay for web hosting for three months, to a Texas based provider. The other two were in quick succession and originated at different locales, which triggered the fraud alert.

      I was issued a new card (new account #) and that was the end of it for me ... I didn't have to pay for the one charge they made. I also alerted the vendor, who was reluctant to believe me, but apparently had the smarts to hire someone who confirmed the php injection and made changes, and later sent me a message thanking me for the alert.

      But that was it. Hundreds if not thousands of transactions at every stage of eCommerce development.

  10. samples by raymorris · · Score: 1

    I periodically analyzed samples, a few hundred thousand here, a few there. The cracker sites and forums have lists that are commonly used, and there are a few common tools they which generate different permutations.

  11. I shouldn't need an account to buy from a retailer by Anonymous Coward · · Score: 0

    It should be easy to buy things online, but they keep making it harder.

  12. Two step logins by Anonymous Coward · · Score: 0

    Two step logins like Amazon has also allowed testing and probings of email addresses for address collection or confirmation. It aids hackers and spammers, while being an annoyance to users. No clue why they decided to go that route, but Amazon's made a lot of design and interface changes to theri website the past 2 years that have been largely questionable.

    1. Re:Two step logins by Anonymous Coward · · Score: 0

      The problem is not two step logins. The problem is the first step returns an error message if an invalid account name is used. A one step login would be just as bad if you use an invalid account name and it tells you that your account is invalid.
      Knowing account names shouldn't be a problem and hiding account names relies on security through obscurity, that's the real problem.

  13. Re:200 million a day? Oh my. by arth1 · · Score: 5, Funny

    There are so many hack attempts, that when I try to create a new account, the first email I receive tells me that my account is locked due to too many failed logins.

    Try picking a different username than phpadmin.

  14. Haha. But yes by raymorris · · Score: 3, Interesting

    That's funny.

    What IS true is that a perfectly logical security system, trying to determine whether a login attempt is legit, would start out with the knowledge there is a 90% chance it's not legit, before considering any other factors. Until we have evidence that it IS legit, it's probably not. That's called a prior probability. That has some interesting implications.

    Fortunately, there are some pretty straightforward metrics to identify legit and bogus attempts with high success rates when the metrics are combined correctly.

  15. It wuz haxx0rz! by Anonymous Coward · · Score: 0

    Useful, relevant, informative reporting? Doesn't exist in BeauHD's book. It's gotta be empty, sensationalist, clickbait.

  16. Re:200 million a day? Oh my. by Arzaboa · · Score: 1

    I'd funny mod you....

    --
    Username: phpadmin
    Username: root
    Username: admin

  17. Paypal is a dumb idea by Anonymous Coward · · Score: 0

    ... login to websites and grab something of value ...

    This is why Paypal's recent change to the always-logged-in model is a dumb idea. I'm certain that if banks claimed a phone had too much security (that is, a password), people would be changing banks.

    1. Re:Paypal is a dumb idea by Bryansix · · Score: 1

      Paypal uses two factor authentication.

  18. That is... comforting. by Anonymous Coward · · Score: 0

    I would have guessed attempted fraudulent logins would have accounted for closer to ninety nine percent.

  19. This is ridiculous by Bryansix · · Score: 1

    First off, changing your passwords is a horrible strategy. Yes, you need to change them but more important is to salt them. Don't use the same password suffix on each site. Keep each password unique for each site. Second of all, retailers need to standardize on two factor authentication, like yesterday! This stops way more than 99% of all malicious login attempts. The attacker would have to no only know your password but also own access to your email or texting.

    1. Re:This is ridiculous by Anonymous Coward · · Score: 0

      Here's my experience with 2-factor authentication with Amazon. I called to fix a defective product. They told me I would have to tell them the passcode from 2-factor authentication. The only 2-factor authentication I have is voice on the line I was calling them on. Catch-22.