Hot Topics
Application Security Cybersecurity Data Security Identity & Access Mobile Security Network Security Security Awareness Security Boulevard (Original) Social Engineering Threat Intelligence 

Buyers Beware: Cybercriminals Target Your Online Credentials

Avatar photo by Paul Trulove on April 27, 2023

The data tells a compelling story for buyers worldwide: Across all industries surveyed, the most common attack methods in 2022 were stolen credentials, ransomware and phishing. And attackers are typically targeting payment data, personally identifiable information (PII), credentials, intellectual property and non-sensitive data. These trends have a significant impact on consumers, who need to be aware of these trends.

According to the Account Takeover in 2022 report, more than 24 billion username and password combinations are now for sale on the dark web (up from 15 billion in 2020). The haveibeenpwned.com website allows any individual to look up their email address or phone number to determine whether it has been included in a disclosed breach, listing all the breaches and what data was compromised, often including password hints, passwords, usernames, phone numbers and locations. The site is updated regularly to include new breaches, but that’s hardly reassuring to those impacted.

As more people continue to turn to e-commerce to manage their shopping—for groceries, gifts, dinner delivery, school supplies or household supplies—credential harvesting has become a significant cybersecurity threat facing the retail industry. As more businesses move online, attackers find new ways to gather compromised usernames and passwords to exploit or trade.

Credential Harvesting is on the Rise

Harvesting credentials was the most reported threat in 2022, especially for the retail, hospitality and travel sectors. Credential harvesting accounted for 63% of threat indicators in these sectors. These attacks allow threat actors to create large databases of usernames and passwords they can use to breach company networks.

And attackers are using these stolen credentials whenever and wherever they can. In basic web application attacks (BWAA), reports showed that over 80% of breaches could be attributed to stolen credentials. Those breaches aren’t just harming companies, of course. Data breaches cause significant negative effects on consumers as well, with 82% of consumers worldwide reporting a negative impact on their lives after a data breach. The 2022 Thales Consumer Digital Trust Index: A Consumer Confidence in Data Security Report highlighted more specific negative impacts as well, including:

    • Fraudulent use of their financial information (31%)
    • Fraudulent use of their personal identifiable information (PII) (25%)
    • Targeted for customized scams using their information (25%)
    • Just over one-fifth (21%) of consumers worldwide stopped using a company after it suffered a data breach
    • Nearly one in ten (8%) took legal action against a company
    • Another 9% considered taking legal action
    • As a result, 44% of consumers spent time to increase the use of security measures to help them protect and secure the personal data stored for online shopping or e-commerce

These statistics aren’t just numbers, though. They illustrate the importance of cybersecurity and breach response to consumer confidence and brand loyalty.

Threats Targeting Shoppers

The most popular intrusion vectors and behaviors are:

  • Phishing: Year-round, cybercriminals attempt to lure consumers into surrendering personal information using various schemes. Recently, there’s been a marked increase in the use of popular product promotions. Cybercriminals also sell harvested information on threat actor markets.
  • Account Takeover (ATO): Another popular attack vector involves cybercriminals attempting to take control of online accounts using harvested passwords and usernames. These attacks typically ramp up following large breaches as fraudsters attempt credential stuffing and other account abuse tactics.
  • Bots: Over the last few years, bots have had a significant impact on online retailers as more individuals have become resellers of stolen information on threat actor forums to make additional income.
  • Gift Cards: Threat actors also appreciate gift cards as they offer ways to remain anonymous while shopping and launder money from compromised credit cards or other forms of payment.

Solutions for Staying Safe

Attackers continue to target buyers and businesses year round. To protect yourself, here are five best practices for e-commerce retailers and shoppers:

  1. Encourage the use multifactor authentication (MFA). Short messaging services (SMS), email, biometrics and other methods of authentication add additional layers of identity protection. Online retailers need to inform users about the importance of MFA and encourage its use. Most consumers are familiar with MFA and may appreciate the opportunity to make their accounts more secure. (Understandably, many businesses hesitate to make MFA mandatory to avoid lost sales.)
  2. Enforce strong passwords—especially if MFA is not an option. If cybercriminals use a brute force attack, passwords that relied on numbers or characters alone can be hacked in milliseconds. Passwords incorporating numbers and 12 upper and lower case characters can take considerably longer to crack using the same approach.
  3. Encrypt your data and network to protect your consumers’ private information. It is the responsibility of every company to make sure that consumer data is protected through firewalls, MFA, antivirus software, regular updates and other recommended security measures.
  4. Prioritize physical security. Old-fashioned breaches are still a threat. Therefore, paper documents and thumb drives must be locked away. Employees must also be trained to lock their laptops when not in use and store sensitive paperwork with care.
  5. Go passwordless. With so many authentication options available, passwords (the most vulnerable cybersecurity option) can be avoided altogether. This allows for a frictionless approach that will increase consumer loyalty while ensuring protection for businesses.

It is no secret that consumers are increasingly shopping online. Cybercriminals see this as an opportunity, particularly as the customer base diversifies to a broader age spectrum that includes buyers who are a little less tech savvy and security conscious than many early e-commerce adopters may have been. But through the right combination of vigilance and best practices, consumers can rest a little easier knowing that they have taken steps to ensure that their data and credentials are secure.

Recent Articles By Author
Avatar photo More from Paul Trulove
Paul Trulove , , , , ,
Avatar photo

Paul Trulove

As CEO of SecureAuth, Paul sets the vision and strategy for company. Paul has over 15 years of experience in senior leadership roles in identity and access management. Most recently, Paul was the Chief Product Officer at SailPoint Technologies. Paul joined SailPoint in 2007 as head of product, driving the product strategy, roadmap and messaging for SailPoint’s market leading identity management portfolio. He played a key role in taking SailPoint from its early days as a pioneer in identity to its successful IPO in 2017. Before joining SailPoint, Paul gained extensive experience in formulating innovative product strategies, launching new products in early-stage ventures, and growing products into category leaders at a variety of technology companies including Newgistics, Sabre, Inc. and Pervasive Software.

paul-trulove has 2 posts and counting.See all posts by paul-trulove