by jhinra on 7/18/2018, 4:56:01 PM
by vxNsr on 7/18/2018, 4:32:25 PM
I recently joined a website the did away with passwords, the only way to login was to enter your email address and confirm by pressing a link in the email, while this adds a pain point for customers it offloads most security implications onto the email provider.
by tribune on 7/18/2018, 3:52:27 PM
This makes sense given how often they'd fail. When I log in it takes me one attempt. When someone is using stolen credentials they might have to make hundreds of attempts before actually logging in.
by hellofunk on 7/18/2018, 6:03:17 PM
My Macy’s account was hacked just this week. I got an email that my shipping address changed, and I logged in and saw several hundred dollars worth of pending items in the shopping cart.
by dahart on 7/18/2018, 5:33:32 PM
Any time I start an ssh server for myself on a publicly accessible IP, hackers account for roughly 100% of login attempts. The legit logins are in the noise, and dictionary attacks on username and password fill the logs. With decent passwords, it's not much concern, but nowadays, I disable password logins completely.
by baybal2 on 7/18/2018, 4:13:38 PM
This has to do with affiliate schemes. Payouts for them are quite solid.
Clickfraud people, I think, count on the the fact that for huge e-retailers, it takes months to take action, and they can cashout affiliate payouts faster then they react.
by JustSomeNobody on 7/18/2018, 4:08:33 PM
Article doesn't talk about what they're doing to mitigate the problem. Well, except tell the reader to change their passwords. So are online retailers just hoping the problem goes away?
by IdontRememberIt on 7/22/2018, 2:08:57 PM
On our site, for an unknown reason almost 80% of the hacked accounts used are with @outlook, @hotmail, @live, etc domains. Does not look like they got the credentials from a massive leak. Issue with that, is that the hacker deletes our warning/advice emails. Not a funny situation to handle. Any idea about the source?
by hartator on 7/18/2018, 4:52:38 PM
Only 90%?
I don't buy these numbers at all. 90% seems stupid high for retail. From the report,
"[...] we rely on data from the Shape Network. Across the US, Shape’s customers represent: [..] 40% of Mobile Retail (by in-store payments)."
"We estimated the number of credential stuffing attacks using the total number of credential stuffing attacks observed on Shape’s US customers and the total proportion of the US industry our customers represent."
I'm really wracking my brain how they're measuring their marketshare of retail. Mobile retail as measured by in-store payments? Can someone explain that to me?
Bottom line, this data comes from a company whose value proposition is that they sit between your company's servers and your clients and filters bad requests for you.