Late last week, global financial institution HSBC confirmed that an unknown number of its customers had their personal and financial information compromised. A BBC report quoted an unnamed expert who said the intrusion appears to be the result of credential stuffing—an automated attack using login information harvested in other breaches to illegally access online accounts. While this attack targeted a bank, merchants of all kinds should be on the lookout for automated bot attacks that could result in even more account takeover fraud than they have previously experienced.
Banks are susceptible to credential stuffing attacks because, in the event an attack identifies vulnerable accounts (ones that use the same userid/password combination that a customer uses elsewhere), the illegal access can be monetized in a multitude of ways, including simply draining the account.
But, online merchants are increasingly experiencing this kind of attack too. In the fourth quarter of last year, Cambridge, Mass.-based content delivery network Akamai found that 43 percent of login attempts on its network used “password guessing or account details gathered from elsewhere on the Internet.”
Retailers and hotel and travel companies were hit especially hard, the company said. In November 2017 alone, Akamai identified more than one billion login attempts at retailer sites as credential abuse. For hotel and travel sites, it was only marginally better, with around 975 million malicious login attempts. According to cybersecurity company Shape Security, credential stuffing attacks can make up 80 to 90 percent of an online retailer’s traffic.
While intrusions at big banks like HSBC can make huge headlines, credential stuffing leading to account takeovers might just be a bigger problem for merchants.