By Chris Ryan, Experian
It’s an all too familiar scenario — a
consumer recognizes an online purchase they never approved, and has to dispute
the charge and reset their password. Often this leads to frustration for the
consumer and days of investigation and ultimately a loss to the business — both
financially and reputationally. This situation is a common occurrence within
retail — an industry overrun by a high volume of fraud attacks.
And while there are hundreds of
different fraud schemes, many attacks can be attributed to a not-so-new
technique called credential stuffing. With billions of stolen identity records
and credentials available on the dark web, criminals can simply visit a
retailer’s web site and start testing to see which credentials work. Fraudsters
literally “stuff” the login page with hundreds of thousands of credential
combinations. More importantly, the criminals can make the login requests appear
to come from different IP addresses, helping to circumvent fraud prevention
measures designed to capture events from a single source. This makes it harder
for retailers to identify legitimate user activity from a credential stuffing
attack.
Advertisement
The scheme preys upon people’s tendency
to reuse online credentials. There is a measurable likelihood that a set of
stolen credentials will allow access to retailer’s web site. Basic computer
scripting automates the login attempts to enable the volume needed to find
those that work. To make matters worse, the compromised retail credentials may
have been stolen elsewhere — anywhere — making the retailer vulnerable to
someone else’s security lapse. In Experian’s 2019 Global Identity & Fraud
Report, businesses indicate that usernames and passwords are the most widely
used authentication tools that they rely upon. The environment is ripe both for
stealing credentials and providing web access where they can be used.
Retailers need to break the cycle by
adopting more advanced technology to protect online accounts — particularly
device intelligence.
Do
More With Device Intelligence
Common tools used to assess the risk
associated with online devices (computers, tablets, smartphones, etc.) are not effective
against credential stuffing. Device intelligence must do more than just track cookies
and identify other characteristics that are common to many devices. Criminals
know how to manipulate cookies and alter device characteristics to evade
detection. The goal should not just be recognizing a familiar device, but being
able to identify suspicious activity on devices that are unfamiliar.
Credential stuffing attacks have been
effective because retailers rely upon device intelligence that lack the layers
of depth necessary to identify attacks in real time. Tools that look beyond
generic forms of device intelligence can make the difference between protecting
the consumer and getting hacked by a cybercriminal.
Effective protection requires device
intelligence capabilities that go much deeper into a device, to mine characteristics
that not only make a device unique but are impossible to be altered even by the
most savvy criminal. Combined with knowledge of skilled professionals who
monitor these trends around the world, this approach to device intelligence is
a retailer’s best defense.
Retailers should also understand that
fraud prevention extends beyond any one method. The combination of device
intelligence with additional technology such as biometrics can help retailers
protect people’s information and provide a low-friction experience.
Just as fraudsters have their own tools
to carry out fraud attacks, retailers should leverage advanced data and
technology to counteract these behaviors. The full potential of device
intelligence has proven to be effective and secure at protecting businesses and
consumers. While fraudsters will continue to evolve and explore alternative
vulnerabilities, retailers can minimize the threat by continually innovating
and leveraging advanced technology.
Chris Ryan is a Senior Fraud Solutions Consultant at Experian. He delivers expertise that helps clients make the most from
data, technology and investigative resources to combat and mitigate fraud risks
across the industries that Experian serves. Ryan provides clients with
strategies that reduce losses attributable to fraudulent activity. He has an
impressive track record of stopping fraud in retail banking, auto lending,
deposits, consumer and student lending sectors and government identity
proofing. Ryan is an expert in consumer identity verification, fraud scoring
and knowledge-based authentication. His expertise is his ability to understand
fraud issues and how they impact customer acquisition, customer management and
collections.
