Securing the Digital World

A Tale of One Password and Unhappily Ever After for Retailers

Mar 14, 2016 | by RSA |

Do you recycle? I'm not talking here about paper, glass and aluminum waste. I mean online passwords. For most consumers, password recycling is a given which exposes them to a wide variety of other identity theft risks. However, poor identity management practices on the part of consumers also puts retailers and e-commerce merchants at risk of compromise - even when they have not experienced a data breach.

The recent breach of more than 5,200 customer accounts at Neiman Marcus, according to this account, involved "password guessing via automated attacks." The retailer in its data breach notice filed with the Attorney General stated it believed these attacks were the result of other breaches at other companies where "user login names and passwords were stolen and used for unauthorized access to other accounts, where a user may use the same login name and/or password."

In other words, password recycling which in the absence of other two-factor authentication systems such as biometrics, SMS verification or one time passwords (OTP), continues to plague large e-commerce sites that are vulnerable to these kinds of attacks.

Connecting the Dots

There are two sides to this recycling coin: the hackers and the consumers and each bear some responsibility on why these events keep happening.

Let's start with the consumers who are perceived as a poor line of defense against these practices because they reuse their passwords across multiple sites.

A study by Telesign on the causal affects of digitization and Internet security found that many users leveraged the same password for several of their online accounts. Its research found that for an average of 24 online accounts, most consumers use just six distinct passwords to access them. The same study also found duplicate passwords are the rule and not the exception, with nearly three-quarters (73%) of consumers relying on the same passwords for their online accounts, 47% using a password they haven't changed up in five or more years and 77% using a password that was at least a year old or older.

So, let's stipulate for the benefit of this post that most consumers are habitual in their faith in reusing the same password for their online accounts - and not being compromised because of it.

As for the hackers, well, they collect consumer information in places like the Dark Web and if you believe fraud experts like Avivah Litan, a Gartner analyst, the bad guys have assembled an extensive database and profile of end users and all identity-related data about them. In turn, they put this data up for sale to cyber criminals and extortionists who will pay up to $10 for a stolen e-commerce account, depending on the brand name. Fresh off a data breach, stolen cards can go for upwards of $50 or $100, but once the supply floods the market or the data gets stale, a "clearance" sale will ensue, with prices falling under $1 in some cases.

Imagine your identity for sale in the cyber underground for a dollar, maybe less. So it should come as no surprise that when consumers use the same password for their e-commerce accounts (and others, of course), with a single breach of those credentials hackers, fraudsters and other bad actors can buy them on the Dark Web to try and access all their accounts on multiple websites.

As a result of this password recycling, the chances of a fraudster buying credentials for one account and using it across several other retailers is high (i.e., your Amazon account is stolen, but likely you use the same credentials on eBay, Gap, Ann Taylor, etc., so even though these other retailers aren't officially breached, as far as your identity is concerned, they are affected.) It is very simple for the bad guys to set up an automated script to test combinations of usernames and password. And if that testing is detected by the website, they will just go low and slow. Rotate IPs. Bounce them off the mobile app login page; we all know no one's watching that.

Mitigating the Risk of Automated Attacks

Stopping or slowing down fraudsters like the ones we've discussed here is a two-way street. Retailers need to stop storing any PII and encrypt it if they do. That goes too for any consumer information stored for marketing purposes. And, of course, whether you're a retailer or consumer, advocate for stronger authentication above and beyond username and password.

Here are some other best practices for retailers that can go a long way in preventing abuse and fraud on their website:

Try and get ahead of these attacks. Be proactive and assume if you're an online retailer you're constantly at risk. Don't let discovery happen months after the initial breach. And if and when they do happen, immediately identify compromised accounts. In other words, sound the alarm(s).

Use web behavioral analytics. If you can't prevent a breach, be prepared to become familiar with anomalous web activity using web behavioral analytics. For example, keep an eye on downstream activity. Things like profile changes and/or high dollar purchases. Or perhaps those packaged up for resale for use down the road, prospectively using an external feed to watch these accounts and the activities associated with them over a period of months). Watch upstream too. Proactively detect the IPs doing strange things on your web properties, especially concentrated around high-risk areas like login. Bad guys are always changing things up and trying new approaches-you should counter in kind!

Watching out for other risk factors. Things like abnormal navigation compared to other users; guest checkout anomalies; atypical or mismatched geographical contact information; multiple users using the same IP address; extraordinary and concurrent high dollar/high volume purchases and so on.

While recycling is good for the planet, it is not so good when it comes to passwords. But the reality is that consumers will continue to recycle them because there are too many to remember. However, retailers and other consumer-facing organizations can be prepared for when the bad guys come knocking with a cache of stolen credentials from the website next door to test out.