Phishing, account takeovers (ATOs) and other types of fraud are endemic in the retail industry, especially as more merchants migrate online during the pandemic, and fraudsters now have more resources than ever with which to conduct their attacks.
A study found that there are more than 15 billion consumer credentials circulating on the dark web, deposited there by massive data breaches that have spilled untold terabytes of consumers’ personal data into cyberspace.
Merchants therefore face a battle on two fronts: stopping hackers from spilling their customers’ personal data onto the open market and preventing bad actors from leveraging said data to infiltrate their systems. Failure to adequately counter both threats could have dire consequences for merchants, their customers and the retail industry as a whole.
In the May edition of the “Digital Fraud Tracker®,” PYMNTS explores the latest in fraud prevention developments, including how fraudsters are leveraging dark web marketplaces to gather resources for their attacks, the techniques they use to defraud merchants while armed with stolen data, and how merchants are keeping themselves and their customers safe from data breaches.
Developments From The Digital Fraud Space
The prevalence of dark web marketplaces, where personally identifiable information like usernames, passwords and Social Security numbers is bought and sold, has greatly contributed to the rise in identity theft. A study examined how much these credentials actually cost, with cloned credit card information selling for as little as $14 and a working PIN driving the price up to $25. Credit details for certain accounts are especially valuable, with stolen data for accounts with credit lines of up to $5,000 going for $240.
ATOs are an extremely common way to use stolen data harvested from the dark web. A study found that 45% of businesses globally have reported surges in instances of ATOs, and this growth has been attributed to users recycling passwords for various accounts. These passwords are often leaked in data breaches and used in credential stuffing attacks to compromise user accounts that share the same passwords.
Businesses are aware of the threat ATOs pose to themselves and their customers, but they may be underestimating the actual damage they cause. A survey found that 90% of IT executives at United States companies said ATOs cost them less than $500,000 in 2020, with 39% reporting losses of less than $100,000. Some clients of fraud prevention companies report that they deal with up to 30,000 ATO attacks every single day, however, for a total monthly loss of $100,000.
For more on these and other digital fraud news items, download this month’s Tracker.
How Slice Works To Counter Credential Stuffing Attacks
Fraudsters are constantly trying to attack merchants via credential stuffing schemes that leverage stolen credentials purchased from dark web marketplaces. Businesses have two objectives: prevent fraudsters from using stolen data to break in and safeguard user data from ending up on the dark web to begin with.
ATOs, credential stuffing attacks and other schemes that leverage stolen identities are commonplace, but most bad actors do not steal the information needed for these attacks themselves. These credentials are instead purchased in bulk from dark web marketplaces, where bad actors operate illicit digital bazaars that deal in stolen information.
This month’s Deep Dive explores how this data ends up on the dark web and how fraudsters employ it in their schemes.
About The Tracker