
Hackers account for 90% of login attempts at online retailers - jsoverson
https://qz.com/1329961/hackers-account-for-90-of-login-attempts-at-online-retailers/
======
jhinra
I don't buy these numbers at all. 90% seems stupid high for retail. From the
report,

"[...] we rely on data from the Shape Network. Across the US, Shape’s
customers represent: [..] 40% of Mobile Retail (by in-store payments)."

"We estimated the number of credential stuffing attacks using the total number
of credential stuffing attacks observed on Shape’s US customers and the total
proportion of the US industry our customers represent."

I'm really wracking my brain how they're measuring their marketshare of
retail. Mobile retail as measured by in-store payments? Can someone explain
that to me?

Bottom line, this data comes from a company whose value proposition is that
they sit between your company's servers and your clients and filters bad
requests for you.

~~~
ggggtez
Why would you think 90% is high? That's only 9 in 10. Remember, attackers
using dictionary attacks are going to be trying hundreds or thousands of log
in attempts, and a real user is only going to try at most a handful of times.

You don't need that many attackers to easily approach 99% or higher. I'd say
90% is likely conservative for some companies.

~~~
jhinra
I think 90% is high for a few reasons:

1) Rate limiting of login attempts takes a bite out of the large numbers
you're talking about. If we are only looking at retail companies without rate
limiting, well, duh, I guess >90% makes sense, but I expect a large portion of
the global e-commerce retail segment _does_ employ rate limiting of logins.

2) The report lists, "Averages derived from customers’ login traffic before
Shape Enterprise Defense was deployed on login applications" \- so this is
absolutely a biased sample. These are clients that signed up for help stopping
this problem.

3) It bugs me how ambiguous the report is about how they aggregate to 90%. I
worry it's a simple [total fraudulent logins] / [total login attempts] across
all their client retailers, which will be heavily biased by the retailers that
don't have login limiting, and doesn't really describe the situation. A much
better number I'd like is the median percentage of fraudulent logins attempts
across retailers.

~~~
jsoverson
1) Proxies and botnets obscure origin and make attacks appear globally
distributed so basic rate limiting has little effect on these attacks.

2) Extrapolated averages on incomplete data are certainly suspect, they are
meant to be taken with a grain of salt and are most applicable to people in
the affected industries for them to validate against their own data. FWIW The
highest percentage of malicious, automated traffic that I've seen has been 99%
which, yes, is crazy and should sound unbelievable.

3) Noted, definitely. It is certainly a tough number to nail down because it
is very dependent on all the things you mention. I trust our data because
we've been at this the longest, were the earliest, and we see a lot of the
unadulterated attack traffic that has gotten through many existing defenses so
we see the stark difference on day one.

Disclaimer: I contributed to the report in question (but was not consulted or
related to the posted article)

~~~
thunfischbrot
Most legitimate users will also not have to log in each time they visit,
making the ratio even less surprising.

------
vxNsr
I recently joined a website the did away with passwords, the only way to login
was to enter your email address and confirm by pressing a link in the email,
while this adds a pain point for customers it offloads most security
implications onto the email provider.

~~~
overcast
Passwords can already universally be recovered through email. I wish ALL sites
had this feature. It's essentially a one time password, that expires.

~~~
choward
Exactly. The only password that really matters is the one for your email.
Everything else just provides additional attack vectors.

~~~
dogma1138
That only works for services that do not store any sensitive data and employ
costumer controller encryption, if your password is used as a cryptographic
tool then it’s out of the question to use such mechanism.

~~~
vxNsr
Whatsapp has figured out a solution to this problem. i.e. what is your
Whatsapp password?

~~~
PappaPatat
Your telephone number. So instead of something you know (password), they use
something you have (phone).

------
tribune
This makes sense given how often they'd fail. When I log in it takes me one
attempt. When someone is using stolen credentials they might have to make
hundreds of attempts before actually logging in.

~~~
mrep
That, and most websites remember your computers forever so you rarely ever
need to log back in.

~~~
reaperducer
I wish. If that were the case, there would be almost zero market for
1Password, Keychain, and a dozen other solutions.

------
hellofunk
My Macy’s account was hacked just this week. I got an email that my shipping
address changed, and I logged in and saw several hundred dollars worth of
pending items in the shopping cart.

------
dahart
Any time I start an ssh server for myself on a publicly accessible IP, hackers
account for roughly 100% of login attempts. The legit logins are in the noise,
and dictionary attacks on username and password fill the logs. With decent
passwords, it's not much concern, but nowadays, I disable password logins
completely.

~~~
LeifCarrotson
My experience is the same. I set up a VPN for a coworker, who used it on 3
separate weeks away, connecting in total maybe 30 times. There were several MB
of logs detailing illegitimate connection attempts.

It makes me curious what's really going over the wires and airwaves we love to
hate for their low capacity and high cost. How much of that traffic is junk?

------
baybal2
This has to do with affiliate schemes. Payouts for them are quite solid.

Clickfraud people, I think, count on the the fact that for huge e-retailers,
it takes months to take action, and they can cashout affiliate payouts faster
then they react.

~~~
jsoverson
It's far more than affiliate schemes. Credential stuffing attacks result in
account takeovers for many different types of companies and the value that can
be extracted is different for each business.

------
JustSomeNobody
Article doesn't talk about what they're doing to mitigate the problem. Well,
except tell the reader to change their passwords. So are online retailers just
hoping the problem goes away?

~~~
kevin_b_er
They have to balance user attention and user friction. Online retailers want
your purchase to be as smooth as possible. There's some studies on how someone
won't spend much time on a website if it loads slow. The same can apply to
purchase decisions. They need it as impulsive as possible. So annoying things
like 2 factor authentication, in their mind, might make a customer give up
their purchase.

So things are insecure because that's what customers want to satisfy their
relatively low attention spans and impatience. And the retailers optimize for
that.

~~~
JustSomeNobody
Makes sense, nobody like slow pages. However, don't most people have the
browser save their password? So couldn't the online retailer have some sort of
exponential delay (to a limit) after so many failed attempts? Surely that
would affect few real customers.

~~~
wild_preference
What is being delayed? Just an IP address or the entire account? Neither
really work.

------
IdontRememberIt
On our site, for an unknown reason almost 80% of the hacked accounts used are
with @outlook, @hotmail, @live, etc domains. Does not look like they got the
credentials from a massive leak. Issue with that, is that the hacker deletes
our warning/advice emails. Not a funny situation to handle. Any idea about the
source?

------
hartator
Only 90%?

