Each year, successful data breaches result in the exposure of millions of credentials—typically a username or email and password—that can be used by increasingly sophisticated cybercriminals to commit fraud. Credential stuffing, human emulation, and other fraud attacks leave merchants vulnerable to the costs of such a breach.
To learn more about the operational costs of fraud and what merchants can do to protect themselves and their customers, PaymentsJournal sat down with Robert Capps, VP of Marketplace Innovation at NuData Security and Tim Sloane, VP of Payments Innovation at Mercator Advisory Group.
What is credential stuffing?
Credential stuffing is when cybercriminals use stolen account credentials to successfully accomplish an account takeover. An account takeover is when fraudsters gain unauthorized access to consumers’ accounts. Scripts, bots, or other automated means can be used to determine whether the same credentials will grant the fraudster access to a customer’s account on another website.
“If [they] have a million credentials in a data set, [the fraudster] might run those million credentials through Amazon and Comcast, Google and Apple, and other high-value places where consumers may also have accounts,” explained Capps.
This type of attack depends on the expectation that consumers are using the same password across multiple sites. More often than not, this expectation is a reality. A consumer survey conducted by Google in 2019 found that two in three people recycle the same password across multiple accounts. Half reported using one specific favorite password for a majority of their accounts.
Using stolen account credentials isn’t a one-and-done deal. Rather, credentials can be bought, sold, copied, and traded. This makes it possible for data from one breach to be combined with past or future breaches to obtain additional passwords tied to a given username. This means that with each additional breach of consumer data, fraudsters have access to a richer and more valuable pool of data. As a result, their chances of successfully accessing accounts or assuming a consumer’s identity grows over time.
How successful is credential stuffing?
In the first half of 2020, 1.4% of credential stuffing attempts used correct credentials. While that may sound insignificant, it results in huge losses for merchants, especially since there were over 15 billion consumer records exposed via data breach in 2015 alone.
“Most organizations are under a constant onslaught of automated credential testing activity. It’s not hard to see a million credentials tested in an hour,” said Capps. “There’s so much happening that [merchants] may not be aware will eventually become a loss or have some sort of impact to [their] customer or to [their] business.”
Cybercriminals are exploiting non-traditional avenues to commit fraud
Modern day fraud extends well past gaining access to consumers’ bank accounts or card information to make unauthorized purchases. Today, automation makes it possible for fraudsters to quickly scour the internet to gain access to perks like loyalty points, rewards, and gift cards.
Capps underscored the importance of recognizing this type of threat. “There’s so many non-traditional monetary supporting systems for these fraudsters, but rewards points and such are a very poorly understood and not well-regarded area of exposure for organizations.” This risk exposure can occur either through a fraudster’s deliberate misuse of rewards points that belong to a legitimate customer, or through their generation of points for fraudulent accounts.
One organization learned the cost of exposure the hard way when a fraudster exploited their unique method of having customers engage with their rewards program. The merchant printed rewards numbers at the bottom of each paper receipt, which was handed to customers at the point of sale. Customers could then keep all of their paper receipts and eventually enter the numbers into an online rewards system to redeem their rewards.
But fraudsters discovered that the numbers at the bottoms of receipts were being generated using an algorithm that could be predicted. Automation afforded them the opportunity to verify a large number of receipts at once and add them onto fraudulent accounts. The merchant lost millions of dollars in value before recognizing what was happening.
In other words, explained Capps, “non-traditional abuse of [a merchant’s] business logic, marketing programs, and loyalty programs can have huge impacts to the bottom line of an organization.” Sloane agreed, noting that “being able to jump in front of that and identify other ways to [authenticate] the user is absolutely critical.”
Account takeovers trigger additional operational expenses
Fraud is costly for a number of reasons, but there is one area of impact that merchants frequently overlook: operational expenses.
If a merchant has a weak authentication and fraud prevention system in place and authorizes too many cards that are fraudulent, they could face steep fines and sanctions from card issuers that deem the merchant risky. More customer transactions can be declined as a result, leading to sunken costs from lost sales.
Other operational costs stem from specific types of attacks, like free trial and retail abuse. It’s common for individuals to use invalid credit cards or gift cards, or use other people’s information to set up free trials to streaming services like Netflix. While the simple solution is to close the account when the card is declined after the free trial, the streaming provider has already taken a financial hit when it gets to that point.
“There are fees associated with the streaming of content like licensing fees, royalties, and operational costs for serving content in the first place, which aren’t free. So a trial that fails to convert because of fraud costs the organization that provided that trial,” said Capps.
In addition, fraudsters who have their accounts closed after a free trial ends aren’t going to simply walk away. Instead, they will create another new fraudulent account and start their free trial all over again.
How merchants can break the cycle of fraud
The first step in addressing fraud losses is recognizing and acknowledging that the problem exists. Part of the problem is that many organizations and budgets are siloed across various departments. For example, rewards programs are often considered a marketing expense.
As a result, abuse of rewards programs don’t fall onto the fraud or risk teams to identify or mitigate. The rewards program appears successful to the marketing team, even if the rewards aren’t going to good customers or driving customer engagement.
“With these siloed impacts, there’s not always an accounting of all of these issues. So I think one of the things that [merchants] need to do to get a handle on this is acknowledge the fact that there are impacts to the budgets and to various parts of the organization [beyond] just fraud losses,” remarked Capps.
By establishing a better working relationship between the operations team, security team, and marketing team, and gaining a deeper understanding of how different programs are being misused, merchants can take the first steps in enacting the right solution. Oftentimes, this means deploying more advanced automation detection mechanisms to combat increasingly sophisticated human-emulating fraud attempts.
The key is stronger identity authentication
Fraudsters are more sophisticated than ever before. Merchants that let them slip through the cracks risk seeing increased operational expenses. By enacting stronger identity authentication, this risk can be mitigated.
NuData’s NuDetect is a product focused on the identification of human versus non-human reactions. The solution combines the power of four integrated security layers to verify users based on inherent behavior like typing rhythm and speed. “If we can subdivide the world into human and non-human at a very fine-tuned level, a lot of problems like credential stuffing and human emulating can be identified and potentially mitigated,” concluded Capps.