Nine out of ten eCommerce login attempts are fraudulent. That is the key finding of an investigation of credential stuffing by Shape Security, a provider of online fraud prevention. Credential stuffing involves the use of stolen credentials to log in to customer accounts to buy products and take advantage of credit arrangements.
Online retailers are more likely to be targeted by credential stuffing because it is common for shoppers to reuse the same credentials on different sites and because automating the eCommerce login process is straightforward compared to banks and other potential targets.
Credential stuffing starts with leaked usernames and passwords. Last year, over 2.3 billion username and password pairs were leaked by online services. Most of the leaked credentials came from Yahoo, which repeatedly exposed the credentials of billions of users. Tens of millions of credentials were leaked from poorly secured forums, databases, and servers. Millions more were leaked in phishing and malware attacks against users.
The usernames and passwords are gathered by criminals and used to make login attempts on eCommerce stores, banks, and social media accounts. The most sophisticated credential stuffing operations create bespoke login scripts that operate from dozens of locations.
The scripts make millions of login attempts with the leaked credentials on tens of thousands of stores. Shoppers use the same email address and password combination on multiple sites, so the leaked credentials can be used to successfully authenticate on many sites and eCommerce stores.
The criminals’ “conversion rates” are quite low: the best credential stuffers successfully authenticate on less than one percent of accounts, but credential stuffing generates significant revenue because credential stuffing is a high-volume, low-cost operation.
Once they have access, the criminals can steal user data, consume gift card balances, and place large fraudulent orders using stored or stolen credit card numbers. It is estimated that credential stuffing costs the US economy in excess of $5 billion per year.
Preventing Credential Stuffing
It is relatively easy to stop credential stuffing from a technological perspective. Implementing two-factor authentication on shopper accounts would be completely effective. Increasing the complexity of the login process would make it more difficult for criminals to automate attacks.
But neither of those methods appeal to eCommerce merchants because they have the unwanted side effect of reducing conversions. The eCommerce industry is incentivized to make it easier for shoppers to authenticate, not more difficult.
Alternatives include IP blacklists, which can be successful against less sophisticated attackers that don’t have access to large networks of proxy servers. Blacklisting is less effective against more sophisticated operations that use paid proxying services and botnets.
Credential stuffing is likely to remain a problem for as long as we use username and password combinations for authentication. Advanced authentication systems such as FIDO 2 are the most likely long-term solution because they provide simple and secure logins without shared secrets.