How Retailers Can Reduce The Risk Of Credential Threats
By Mike Wilson, Enzoic
Retailers face a barrage of security threats from a variety of sources. As the number of breaches continues to soar, brands must take action to reduce the risk and protect customer data.
This requires that retailers understand the malicious actors targeting their business so that they can deploy the proper defenses and mitigations. One growing threat vector is automated bots that hammer away at web sites with credential stuffing attacks, and retailers need to fight back.
The rise and success of credential stuffing attacks is a result of people continuing to reuse the same passwords across multiple accounts. When a data breach happens, user credentials are exposed and can be found on the Internet and the dark web. Cybercriminals can use a bot with a list of exposed credentials against a web site to gain access to an account on that site. When the bots successfully access an account, it’s logged and they can either take advantage in that moment, or they can sell the account data to other criminals.
Retailers must take action to protect their digital properties and user credentials from automated attacks. The best way to reduce the risk is to implement a multi-layered approach from some of the popular options below.
1) Make two-factor (or multi-factor) authentication mandatory: This can take the form of presenting evidence of an additional item like a smartphone, or it can be knowledge-based where the user must be able to answer a security question. Some brands deploy both options, but this can cause customer friction and attrition so retailers must weigh that balance.
2) Add a captcha: This step helps determine whether the account access is being attempted by a human or a machine, and is used to thwart spam and automated extraction of data from web sites. Simple checkboxes tend to work best as customers don’t become frustrated and abandon the purchase, but retailers must be aware that some bots can detect those checkboxes so this option is not 100% reliable.
3) Screen for exposed credentials: Deploy a credential screening tool that compares customer credentials (both user name and password) against a database containing billions of compromised records. This tool runs continually in the background, and when it finds credentials that are compromised, retailers can then decide how to address the vulnerability. This can include forcing a password reset, deploying step-up authentication or hiding sensitive data such as credit card details associated with the account.
4) Adaptive authentication: These systems cross-reference IP address, geolocation, device reputation and other behaviors to assign a risk score to an inbound login session and step-up authentication factors accordingly. To increase effectiveness, they tend to be aggressive, often adding additional authentication factors that can increase customer frustration and abandonment.
5) Biometric authentication: This is another option where the user’s fingerprint or face is used to authenticate. However, many users do not have biometric devices so this option currently has a limited impact. Also, if the biometric fails, it defaults back to the password-based authentication.
As bots become the tool of choice for cybercriminals to obtain credentials, retailers need to take action to protect their customers’ data. While there is no silver bullet to solve this problem, applying a layered approach to mitigate the risk gives retailers the confidence that the risk of credential stuffing attacks is significantly reduced — without negatively impacting the customer experience.
Mike C. Wilson is the Founder and CTO of Enzoic, an innovative cyber-security startup that helps enterprises screen for compromised credentials during authentication. He has spent 20 years in software development, with 12 years specifically in the information security space. Wilson started his career in the high-security environment at NASA, working on the mission control center redevelopment project. He has also founded several successful startups and has a BS in Computer Science and Aerospace Engineering from Texas A&M.