BSidesLV Preview: Fighting Fraud in the Trenches

The famed bank robber Willie Sutton once said “I rob banks because that’s where the money is.” These days, botnet operators would say the same thing about retail sites and marketplaces. The nexus of fraud activity has shifted away from financial services targets to focus heavily on the retail ecosystem. That’s because retail and marketplace sites are far more like banks than they used to be, with multiple ways for criminals to cash out.

These attacks are very common. According to PerimeterX’s own analysis, on average 40% of all login attempts are malicious in nature. That can go up to 80% of all log-in attempts during significant account takeover (ATO) attacks. This mix more and more includes mobile apps and mobile APIs as a key target. Out of the 3 billion malicious login attempts PerimeterX blocked in the last few months during ATOs, 40% of the bots tried to disguise themselves as mobile apps.

From simply hijacking a stolen account to making fraudulent purchases to siphoning off loyalty points, ATO attacks against retailers offer many ways to extract cash quickly and easily. Not surprisingly, the scale of attacks has massively grown to meet the target environment.

So what’s changed to make this possible? The first question might actually be: what has not changed? People still tend to heavily reuse passwords across multiple sites. This is despite years of calls for people to use password wallet software or password management systems in browsers.

Many financial institutions have mandated two-factor authentication. But retail operators are afraid to take this step out of fear of chasing off valid users and real customers through introduction of unnecessary steps in the purchasing and login process. Banks can demand 2FA because financial accounts are inherently sticky. But retailers must fight to convince even repeat customers (Read more...)