Hackers Account For 90 Percent of Login Attempts At Online Retailers (qz.com) 33
Hackers account for 90% of of e-commerce sites' global login traffic, according to a report by cyber security firm Shape Security. They reportedly use programs to apply stolen data acquired on the dark web -- all in an effort to login to websites and grab something of value like cash, airline points, or merchandise. Quartz reports: These attacks are successful as often as 3% of the time, and the costs quickly add up for businesses, Shape says. This type of fraud costs the e-commerce sector about $6 billion a year, while the consumer banking industry loses out on about $1.7 billion annually. The hotel and airline businesses are also major targets -- the theft of loyalty points is a thing -- costing a combined $700 million every year.
The process starts when hackers break into databases and steal login information. Some of the best known "data spills" took place at Equifax and Yahoo, but they happen fairly regularly -- there were 51 reported breaches last year, compromising 2.3 billion credentials, according to Shape. Taking over bank accounts is one way to monetize stolen login information -- in the US, community banks are attacked far more than any other industry group. According to Shape's data, that sector is attacked more than 200 million times each day. Shape says the number of reported credential breaches was roughly stable at 51 last year, compared with 52 in 2016. The best way consumers can minimize these attacks is by changing their passwords.
The process starts when hackers break into databases and steal login information. Some of the best known "data spills" took place at Equifax and Yahoo, but they happen fairly regularly -- there were 51 reported breaches last year, compromising 2.3 billion credentials, according to Shape. Taking over bank accounts is one way to monetize stolen login information -- in the US, community banks are attacked far more than any other industry group. According to Shape's data, that sector is attacked more than 200 million times each day. Shape says the number of reported credential breaches was roughly stable at 51 last year, compared with 52 in 2016. The best way consumers can minimize these attacks is by changing their passwords.
Password: cApta1n0b-V-u5 (Score:1)
Hackers keep trying different variations, usually using bots. The quantity does not surprise me.
Matches my data (millions of attempts) (Score:3)
I owned the company that built the login system which was used by most of the successful porn sites (as well as other sites), so I had opportunity to analyze many millions of attempts. 90% or higher seems about right.
samples (Score:2)
I periodically analyzed samples, a few hundred thousand here, a few there. The cracker sites and forums have lists that are commonly used, and there are a few common tools they which generate different permutations.
Haha. But yes (Score:4, Interesting)
That's funny.
What IS true is that a perfectly logical security system, trying to determine whether a login attempt is legit, would start out with the knowledge there is a 90% chance it's not legit, before considering any other factors. Until we have evidence that it IS legit, it's probably not. That's called a prior probability. That has some interesting implications.
Fortunately, there are some pretty straightforward metrics to identify legit and bogus attempts with high success rates when the metrics are combined correctly.
Re: (Score:1)
That his toupee size?
Kohl's (Score:3)
The Kohl's web site is utterly broken. Every time they have a sale, your account gets locked due to too many password attempts. You literally have to reset your password almost every time you use it. Why you would lock an account entirely instead of rate limiting it blocking the overseas IP addresses involved, I have no idea.
Re: (Score:2)
Regardless, this doesn't seem to happen in any other retail site. There's clearly some mitigation option better than letting every account get locked. Also, the IPv4 address space is relatively small compared to potential passwords - they probably don't even handle IPv6.
Re: (Score:1)
This is really, really old news... (Score:2)
And has no surprise-factor at all. Basically anything that accepts log-ins from the Internet gets between a few and a few 1000 every minute. This may or may not get better with IPv6, but with IPv4, the whole net is scanned all the time.
That's it? (Score:2)
Best way says who? (Score:2)
The best way consumers can minimize these attacks is by changing their passwords.
No, that is not necessarily the best way. Why this unsubstantiated claimm?
Not creating an account in the first place and using a guest checkout is arguably better. So is switching to sites that offer better protection, like 2-factor authentication or having to call in the CVV.
200 million a day? Oh my. (Score:3)
There are so many hack attempts, that when I try to create a new account, the first email I receive tells me that my account is locked due to too many failed logins.
--
Whats up doc? - B. Bunny
Re:200 million a day? Oh my. (Score:5, Funny)
There are so many hack attempts, that when I try to create a new account, the first email I receive tells me that my account is locked due to too many failed logins.
Try picking a different username than phpadmin.
Re: (Score:2)
I'd funny mod you....
--
Username: phpadmin
Username: root
Username: admin
I'm not believing. (Score:2)
I'm not sure I believe the problem to be as bad as people are making out.
I shop online for almost everything because I live out in a very rural area. There are no local stores. As a result I have accounts at a great many online retailers. I have not had problems.
I'm not saying the problem doesn't exist, just that I think it is getting exaggerated.
I also have an online store for my business. I have no cases of hackers doing login attempts or trying to purchase other than the obvious ones which get filtered o
Re: (Score:2)
The big stores are far more likely to be bolting ecommerce onto an older homegrown system rather than being able to use an out-of-box solution on its own. Toys R Us / Babies R Us forced your contact information into all-caps (even up to the end), for one example.
Re: (Score:2)
I have done a lot of online purchasing, and starting fairly early in the game, before the new millennium, and plenty since. Some years it exceeded five figures.
I only had one problem, where a small vendor was the victim of a php injection attack. I noticed it but it didn't "click" that I was being served a lookalike page to enter my CC details. When the transaction didn't go through, it dawned on me what was going on.
My CC company (VISA) caught the suspicious activity on my card fairly quickly ... the thiev
Re: (Score:2)
This is ridiculous (Score:2)