It’s a serious and growing problem — and one many retailers fail to recognize until they or their customers have suffered significant losses.
It’s gift card fraud, one aspect of a bot-enabled deception called credential stuffing: botnets attempting to log into a site to assume an identity, gather information or steal money, gift cards and/or other goods. Fraudsters use lists of usernames and passwords gathered from security breaches.
In the case of gift card fraud, customers frequently blame the retail site or store they were patronizing when their gift cards or gift card account values were stolen, damaging the store’s brand image and customer loyalties.
Patrick Sullivan, global director of security for intelligent edge cloud platform Akamai, says over 30 billion malicious credential stuffing login attempts were made from the beginning of November 2017 until the end of June 2018. These covered a broad range of attacks on all industries, not just retail.
From approximately 3 billion credential attacks per month in the fourth quarter of 2017, the amount rose to some 8 billion attacks per month in the second quarter of 2018. These kinds of escalations are a main reason top internet retailers and U.S. retail brands use Akamai’s programs to enhance website performance and boost and enhance their private fraud protection departments.
“Having our servers close to end users allows us to control the performance of their dynamic web applications and is an optimal location for providing security services,” Sullivan says.
“We can do that whether users are on a mobile network, use a cable provider or corporate network. It doesn’t matter. We want to be close to wherever a potential buyer, anywhere around the world, could be when they want to shop a retail site.”
DETECT AND DISRUPT
In addition to providing protection from gift card fraud with a program called Bot Manager (developed with input from a large multichannel retailer who was the first customer using the system), Akamai protects against a wide variety of other possible attacks, including malware, phishing, data exfiltration, denial of service and other advanced attacks.
When gift card fraud happens online, Sullivan says, it’s the result of “an army of bots” trying to discover the passwords consumers use on a variety of sites, not just retailers. The passwords are then used to access the consumers’ accounts anywhere from a retail website to a bank.
“The fraudsters will start with a list of credentials sourced from the breach of another site,” he says. “They will use their botnet to attempt to login to sites validating which credentials are successful.”
“The next step after that is an account takeover, because a fraudster now has the credential to commandeer an account and defraud that customer’s account.”
He says the cost to the retailer is the direct fraud loss, damage to customer relationships, IT costs associated with supporting high level of traffic from bots and human costs as security and fraud teams work to manage these attacks.
Gift cards are typically a preferred way to defraud consumers, Sullivan says, “because they’re so easy to move and harder to trace than currency taken from banks or credit card providers, and very easy for a fraudster to monetize by trading them or selling them on the web at a fraction of their value. A fraudster can monetize gift cards very quickly and safely.”
Fraudsters need bots to perform this type of fraud, he says, because it would be too expensive and “not economically viable” to do it with humans.
Akamai’s Bot Manager “detects bots and disrupts them until the bot operators get discouraged and stop turning a profit, at which point they often leave the site and move on to other victims.”
The technology doesn’t typically contribute to the arrests of fraudsters after gift cards have been stolen. Instead it discourages the fraudsters from continuing an attack that is not profitable for them.
Sullivan says a retail security manager recently told him he believed bot operators were clever and technically proficient enough to detect when his security people were coming to work and leaving work, detecting the best time when his company’s fraud department was least staffed and most vulnerable.
“These bot operators are so sophisticated, they pay very close attention to what the fraud mitigation team is doing,” Sullivan says.
DEFEAT AND DISCOURAGE
To successfully defeat and discourage credential stuffing attacks, Sullivan advises that retailers use existing business logic alert programs to check for activities that don’t make sense, such as an online request to check the balance on a card that hasn’t been activated yet. Make sure clearly fraudulent activities raise an alert, and check for increased rates of failed login attempts or requests to check the balances of gift cards that are invalid.
He says retailers also should encourage the use of unique, longer passwords and gift card personal identification numbers that are harder for fraudsters to find and steal. In physical stores, make sure there is strong protection around gift cards.
“If fraud prevention detects and sees an online attack, don’t try to block it in an obvious way,” Sullivan says, “because fraudsters will immediately figure out how you’re detecting them and start to evade. Be careful how you manage these cases of abuse that are detected.”
Akamai issues deceptive responses to bots, he says, “such as the message that would typically be used to communicate a password is invalid even though it isn’t, or report an account doesn’t exist even if it does. These are messages designed to slow down the ability of a bot operator to detect that they have been spotted.”
The system is so sophisticated that Bot Manager can detect whether a request is coming from a human, who tends to move their mouse a little clumsily, or an automated bot which goes in a straight, efficient line every time to the password sign-in.
“Ultimately, we want to stop the attack before there is fraud, before something happens that needs to be tracked down,” Sullivan says, “especially with individual gift cards which could be in the low-end range of value. Thefts low enough in value that police would not typically choose to pursue.”
Bot Manager is designed to “impact a fraudster’s economic incentives to commit fraud. They’re all very profit-motivated, so if they’re not making money on one type of fraud, they’ll move to something different.”
Currently almost 400 of Akamai total customers are using Bot Manager; about 46 percent are retailers. Sullivan says Akamai’s systems are constantly changing and evolving as fraudsters adapt to detection techniques by developing new creative ways to attack.
If “you can take away or slow down the automated attack,” Sullivan says, “retailers can mitigate the attack, either preventing or forcing bot operators to spend time trying to find a way around it or to move on to a more attractive target where their automation can be more successful.”
Online retailers, he says, “tell us that when you take away the bots, their fraud losses can drop 90 percent for the online channel.”