Retailers Implement Device Intelligence To Counteract Credential Stuffers
By Chris Ryan, Experian
It’s an all too familiar scenario — a consumer recognizes an online purchase they never approved, and has to dispute the charge and reset their password. Often this leads to frustration for the consumer and days of investigation and ultimately a loss to the business — both financially and reputationally. This situation is a common occurrence within retail — an industry overrun by a high volume of fraud attacks.
And while there are hundreds of different fraud schemes, many attacks can be attributed to a not-so-new technique called credential stuffing. With billions of stolen identity records and credentials available on the dark web, criminals can simply visit a retailer’s web site and start testing to see which credentials work. Fraudsters literally “stuff” the login page with hundreds of thousands of credential combinations. More importantly, the criminals can make the login requests appear to come from different IP addresses, helping to circumvent fraud prevention measures designed to capture events from a single source. This makes it harder for retailers to identify legitimate user activity from a credential stuffing attack.
The scheme preys upon people’s tendency to reuse online credentials. There is a measurable likelihood that a set of stolen credentials will allow access to retailer’s web site. Basic computer scripting automates the login attempts to enable the volume needed to find those that work. To make matters worse, the compromised retail credentials may have been stolen elsewhere — anywhere — making the retailer vulnerable to someone else’s security lapse. In Experian’s 2019 Global Identity & Fraud Report, businesses indicate that usernames and passwords are the most widely used authentication tools that they rely upon. The environment is ripe both for stealing credentials and providing web access where they can be used.
Retailers need to break the cycle by adopting more advanced technology to protect online accounts — particularly device intelligence.
Do More With Device Intelligence
Common tools used to assess the risk associated with online devices (computers, tablets, smartphones, etc.) are not effective against credential stuffing. Device intelligence must do more than just track cookies and identify other characteristics that are common to many devices. Criminals know how to manipulate cookies and alter device characteristics to evade detection. The goal should not just be recognizing a familiar device, but being able to identify suspicious activity on devices that are unfamiliar.
Credential stuffing attacks have been effective because retailers rely upon device intelligence that lack the layers of depth necessary to identify attacks in real time. Tools that look beyond generic forms of device intelligence can make the difference between protecting the consumer and getting hacked by a cybercriminal.
Effective protection requires device intelligence capabilities that go much deeper into a device, to mine characteristics that not only make a device unique but are impossible to be altered even by the most savvy criminal. Combined with knowledge of skilled professionals who monitor these trends around the world, this approach to device intelligence is a retailer’s best defense.
Retailers should also understand that fraud prevention extends beyond any one method. The combination of device intelligence with additional technology such as biometrics can help retailers protect people’s information and provide a low-friction experience.
Just as fraudsters have their own tools to carry out fraud attacks, retailers should leverage advanced data and technology to counteract these behaviors. The full potential of device intelligence has proven to be effective and secure at protecting businesses and consumers. While fraudsters will continue to evolve and explore alternative vulnerabilities, retailers can minimize the threat by continually innovating and leveraging advanced technology.
Chris Ryan is a Senior Fraud Solutions Consultant at Experian. He delivers expertise that helps clients make the most from data, technology and investigative resources to combat and mitigate fraud risks across the industries that Experian serves. Ryan provides clients with strategies that reduce losses attributable to fraudulent activity. He has an impressive track record of stopping fraud in retail banking, auto lending, deposits, consumer and student lending sectors and government identity proofing. Ryan is an expert in consumer identity verification, fraud scoring and knowledge-based authentication. His expertise is his ability to understand fraud issues and how they impact customer acquisition, customer management and collections.