Slashdot Mirror
Hackers Account For 90 Percent of Login Attempts At Online Retailers (qz.com)
Hackers account for 90% of of e-commerce sites' global login traffic, according to a report by cyber security firm Shape Security. They reportedly use programs to apply stolen data acquired on the dark web -- all in an effort to login to websites and grab something of value like cash, airline points, or merchandise. Quartz reports: These attacks are successful as often as 3% of the time, and the costs quickly add up for businesses, Shape says. This type of fraud costs the e-commerce sector about $6 billion a year, while the consumer banking industry loses out on about $1.7 billion annually. The hotel and airline businesses are also major targets -- the theft of loyalty points is a thing -- costing a combined $700 million every year.
The process starts when hackers break into databases and steal login information. Some of the best known "data spills" took place at Equifax and Yahoo, but they happen fairly regularly -- there were 51 reported breaches last year, compromising 2.3 billion credentials, according to Shape. Taking over bank accounts is one way to monetize stolen login information -- in the US, community banks are attacked far more than any other industry group. According to Shape's data, that sector is attacked more than 200 million times each day. Shape says the number of reported credential breaches was roughly stable at 51 last year, compared with 52 in 2016. The best way consumers can minimize these attacks is by changing their passwords.
The process starts when hackers break into databases and steal login information. Some of the best known "data spills" took place at Equifax and Yahoo, but they happen fairly regularly -- there were 51 reported breaches last year, compromising 2.3 billion credentials, according to Shape. Taking over bank accounts is one way to monetize stolen login information -- in the US, community banks are attacked far more than any other industry group. According to Shape's data, that sector is attacked more than 200 million times each day. Shape says the number of reported credential breaches was roughly stable at 51 last year, compared with 52 in 2016. The best way consumers can minimize these attacks is by changing their passwords.
The Kohl's web site is utterly broken. Every time they have a sale, your account gets locked due to too many password attempts. You literally have to reset your password almost every time you use it. Why you would lock an account entirely instead of rate limiting it blocking the overseas IP addresses involved, I have no idea.
I owned the company that built the login system which was used by most of the successful porn sites (as well as other sites), so I had opportunity to analyze many millions of attempts. 90% or higher seems about right.
There are so many hack attempts, that when I try to create a new account, the first email I receive tells me that my account is locked due to too many failed logins.
--
Whats up doc? - B. Bunny
There are so many hack attempts, that when I try to create a new account, the first email I receive tells me that my account is locked due to too many failed logins.
Try picking a different username than phpadmin.
That's funny.
What IS true is that a perfectly logical security system, trying to determine whether a login attempt is legit, would start out with the knowledge there is a 90% chance it's not legit, before considering any other factors. Until we have evidence that it IS legit, it's probably not. That's called a prior probability. That has some interesting implications.
Fortunately, there are some pretty straightforward metrics to identify legit and bogus attempts with high success rates when the metrics are combined correctly.