Hackers are targeting online loyalty card schemes because it is so easy for them to cash in by selling stolen login details to other criminals, Akamai has warned.
In its Loyalty for Sale – Retail and Hospitality Fraud report published today, Akamai reckoned that ne’er-do-wells began actively targeting retail, travel and hospitality sectors with a wave of credential-stuffing attacks that accelerated as the COVID-19 pandemic forced most retail activity onto the web.
“Criminals are not picky, anything that can be accessed can be used in some way,” said Steve Ragan, Akamai security researcher and author of the report. “This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft.”
Over a two year period – July 2018 to June 2020 – Akamai researchers said they had recorded a total of 63 billion credential-stuffing attacks targeting retail, hospitality and travel, with 90 per cent of those aimed squarely at online retailers.
Worse, it isn’t just cred-stuffing that retailers need to defend against. SQL injection attacks and Local File Inclusion attacks also stacked up, with SQLi making up “just under 79 per cent” of the four billion web application-based attacks against retail, travel and hospitality Akamai recorded over the two year sample period.
Between July 2018 and June 2020, Akamai observed more than 100 billion credential stuffing attacks in total. In the commerce category – comprising the retail, travel, and hospitality industries – there were 63,828,642,449 recorded. More than 90 per cent of the attacks in the commerce category targeted the retail industry.
“All businesses need to adapt to external events, whether it’s a pandemic, a competitor, or an active and intelligent attacker,” Ragan warned. “Some of the top loyalty programmes targeted require nothing more than a mobile number and a numeric password, while others rely on easily obtained information as a means of authentication. There is an urgent need for better identity controls and countermeasures to prevent attacks against APIs and server resources.”
Those loyalty schemes usually contain everything an identity thief needs to get started: names, addresses, phone numbers, card details, MFA settings and so on.
The full Loyalty for Sale – Retail and Hospitality Fraud report can be downloaded from Akamai’s site here. ®