Advertisement

How Retailers Can Reduce The Risk Of Credential Threats

By
Mike Wilson, Enzoic

Retailers
face a barrage of security threats from a variety of sources. As the number of breaches continues to soar, brands
must take action to reduce the risk and protect customer data.

This
requires that retailers understand the malicious actors targeting their
business so that they can deploy the proper defenses and mitigations. One
growing threat vector is automated bots that hammer away at web sites with
credential stuffing attacks, and retailers need to fight back.

Advertisement

The
rise and success of credential stuffing attacks is a result of people
continuing to reuse the same passwords across multiple accounts. When a data
breach happens, user credentials are exposed and can be found on the Internet and
the dark web. Cybercriminals can use a bot with a list of exposed credentials
against a web site to gain access to an account on that site. When the bots
successfully access an account, it’s logged and they can either take advantage
in that moment, or they can sell the account data to other criminals.

Retailers
must take action to protect their digital properties and user credentials from
automated attacks. The best way to reduce the risk is to implement a
multi-layered approach from some of the popular options below.

1) Make two-factor (or multi-factor)
authentication mandatory
: This can take the form of presenting evidence of
an additional item like a smartphone, or it can be knowledge-based where the
user must be able to answer a security question. Some brands deploy both
options, but this can cause customer friction and attrition so retailers must
weigh that balance.

2) Add a captcha: This step helps
determine whether the account access is being attempted by a human or a machine,
and is used to thwart spam and automated extraction of data from web sites.
Simple checkboxes tend to work best as customers don’t become frustrated and
abandon the purchase, but retailers must be aware that some bots can detect
those checkboxes so this option is not 100% reliable.

3) Screen for exposed credentials: Deploy
a credential screening tool that compares customer credentials (both user name
and password) against a database containing billions of compromised records.
This tool runs continually in the background, and when it finds credentials
that are compromised, retailers can then decide how to address the
vulnerability. This can include forcing a password reset, deploying step-up
authentication or hiding sensitive data such as credit card details associated
with the account.

4) Adaptive authentication: These systems
cross-reference IP address, geolocation, device reputation and other behaviors
to assign a risk score to an inbound login session and step-up authentication
factors accordingly. To increase effectiveness, they tend to be aggressive,
often adding additional authentication factors that can increase customer
frustration and abandonment.

5) Biometric authentication: This is
another option where the user’s fingerprint or face is used to authenticate.
However, many users do not have biometric devices so this option currently has
a limited impact. Also, if the biometric fails, it defaults back to the
password-based authentication.

As
bots become the tool of choice for cybercriminals to obtain credentials,
retailers need to take action to protect their customers’ data. While there is
no silver bullet to solve this problem, applying a layered approach to mitigate
the risk gives retailers the confidence that the risk of credential stuffing
attacks is significantly reduced — without negatively impacting the customer
experience.

Mike
C. Wilson is the Founder and CTO of
Enzoic, an innovative cyber-security startup that helps enterprises
screen for compromised credentials during authentication. He has spent 20 years
in software development, with 12 years specifically in the information security
space. Wilson started his career in the high-security environment at NASA,
working on the mission control center redevelopment project. He has also
founded several successful startups and has a BS in Computer Science and
Aerospace Engineering from Texas A&M.

Advertisement

Advertisement

Upcoming Events

Access The Media Kit

Interests:

Access Our Editorial Calendar




If you are downloading this on behalf of a client, please provide the company name and website information below: