Fraud Management & Cybercrime

Account Takeover: The Bane of E-Commerce

Akamai's Smith on Why Simple Attacks Have a Surprising Success Rate
Account Takeover: The Bane of E-Commerce
Michael Smith, Akamai

E-commerce sites face an ongoing fraud battle: Their login forms are constantly hit by bots using stolen credentials to try to take over accounts.

See Also: Unlocking IAM - Balancing Frictionless Registration & Data Integrity

Michael Smith, Akamai's security CTO for Asia-Pacific and Japan, has seen this war escalate since 2012. That year, there were about 35 e-commerce Akamai customers within his region reporting this kind of attack, he says. But the attacks have escalated in the past four years, with as many as 135 organizations dealing with such attacks in countries including South Korea, Vietnam, Malaysia, Indonesia and Japan.

Although this kind of attack was first seen mostly against U.S. and U.K. retailers, "because those guys are good at defending themselves, they've moved to smaller targets," Smith says.

How it Works

The attackers collect account credentials from phishing schemes. They then use lists of stolen credentials and load them into "account checkers," which are simple, automated scripts - usually written in PHP - to test them out on a wide range of sites.

It's a much more effective method that to try to brute-force passwords, which could be slowed down by rate-limiting password guesses. The hackers capitalize largely on the fact that most people don't use different passwords for different web services.

"They know they have the seed information," says Smith, who gave a presentation at the AusCERT conference near Brisbane on May 25. "So they have about a success ratio of one in 12, which is pretty good from an attacker's perspective."

The Payoff

Large data breaches, such as the one most recently revealed by LinkedIn that divulged more than 100 million credentials with weak, SHA1 password hashes, fuel the attacks.

"We actually will see a corresponding increase in account takeover activity based on a database dump like that," he says.

The hackers frequently target a variety of non-cash instruments, such as prepaid gift cards and loyalty card points, which can be sold for cash at a discount or traded. Even groceries stores have been hit, with attackers going after stored loyalty points that are held in online accounts.

"They could take these vouchers, download them and trade them basically as cash," Smith says.

Account takeovers can be especially lucrative if a customer has stored their credit card with the retailer for purchases. The attackers can continually buy more vouchers.

How to Fight Back

The attacks can be tricky to shut down without inconveniencing legitimate customers. The account checkers are usually run through proxy servers, which can be blocked. But over time, the attackers have changed their strategy and now quickly rotate to new proxy servers in order to avoid triggering a block, Smith says.

So what can e-commerce sites do? There are several signs that an account takeover campaign may be underway. For example, one of the first things hackers do is to change the email address of a victim. Patterns can often be detected in the new email addresses, such as unlikely domain names, Smith says.

Shipping addresses are also usually changed. E-commerce companies can check their customer databases to see if many accounts have suddenly been changed to the same shipping address, a sign of a mass account compromise.

Smith also recommends that retailers don't assign a username that is the same as a person's email address. Instead, some retailers now assign a loyalty rewards number as a username rather than an email address.

"That reduces the usability of that account across multiple websites," Smith says.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.