[jhinra]

I don't buy these numbers at all. 90% seems stupid high for retail. From the report,

"[...] we rely on data from the Shape Network. Across the US, Shape’s customers represent: [..] 40% of Mobile Retail (by in-store payments)."

"We estimated the number of credential stuffing attacks using the total number of credential stuffing attacks observed on Shape’s US customers and the total proportion of the US industry our customers represent."

I'm really wracking my brain how they're measuring their marketshare of retail. Mobile retail as measured by in-store payments? Can someone explain that to me?

Bottom line, this data comes from a company whose value proposition is that they sit between your company's servers and your clients and filters bad requests for you.

[reaperducer]

Bottom line, this data comes from a company whose value proposition is that they sit between your company's servers and your clients and filters bad requests for you.

Bottom line, this data comes from a company in a unique position to see all inbound logins on a large number of e-commerce web sites that random HN cynic can't.

FTFY.

[thaumaturgy]

A single source of abuse can easily tilt login statistics.

In a recent compromise that I assisted on, the attacker tried 9,000 different credentials before landing on something that worked. This is on a relatively small site that has maybe 100 legitimate logins per day. On larger, more attractive sites, the ratio would only increase as you'd have multiple concurrent attackers trying everything in their combos lists.

We've since built out a small pile of software to detect and prevent this and similar kinds of abuse. It's not yet SOP for small ecommerce sites, but it should be.

...or just use Shopify and let them deal with it.

[ggggtez]

Why would you think 90% is high? That's only 9 in 10. Remember, attackers using dictionary attacks are going to be trying hundreds or thousands of log in attempts, and a real user is only going to try at most a handful of times.

You don't need that many attackers to easily approach 99% or higher. I'd say 90% is likely conservative for some companies.

[jhinra]

I think 90% is high for a few reasons:

1) Rate limiting of login attempts takes a bite out of the large numbers you're talking about. If we are only looking at retail companies without rate limiting, well, duh, I guess >90% makes sense, but I expect a large portion of the global e-commerce retail segment _does_ employ rate limiting of logins.

2) The report lists, "Averages derived from customers’ login traffic before Shape Enterprise Defense was deployed on login applications" - so this is absolutely a biased sample. These are clients that signed up for help stopping this problem.

3) It bugs me how ambiguous the report is about how they aggregate to 90%. I worry it's a simple [total fraudulent logins] / [total login attempts] across all their client retailers, which will be heavily biased by the retailers that don't have login limiting, and doesn't really describe the situation. A much better number I'd like is the median percentage of fraudulent logins attempts across retailers.

[jsoverson]

1) Proxies and botnets obscure origin and make attacks appear globally distributed so basic rate limiting has little effect on these attacks.

2) Extrapolated averages on incomplete data are certainly suspect, they are meant to be taken with a grain of salt and are most applicable to people in the affected industries for them to validate against their own data. FWIW The highest percentage of malicious, automated traffic that I've seen has been 99% which, yes, is crazy and should sound unbelievable.

3) Noted, definitely. It is certainly a tough number to nail down because it is very dependent on all the things you mention. I trust our data because we've been at this the longest, were the earliest, and we see a lot of the unadulterated attack traffic that has gotten through many existing defenses so we see the stark difference on day one.

Disclaimer: I contributed to the report in question (but was not consulted or related to the posted article)

[thunfischbrot]

Most legitimate users will also not have to log in each time they visit, making the ratio even less surprising.

[ggggtez]

I think an important thing is that you should consider that attackers will log in at the maximum rate limit allowed. The traffic may even be greater than the rate limit, and they'll have some requests dropped by the server. But it still represents and attempted login regardless.

So, yes, even with rate limiting, you can still easily hit 99% fradulent attempts. Obviously you'd be foolish to actually process all of those, and likely the attackers would realize they were rate limited and would slow down for their own best interest, but it's not a guarantee that they actually do obey the rate limit.

[dogma1138]

A large entailer in the UK that I’ve done PCI work for 3 years ago had simmilar figures in the mid 80%, that accounts for all attempts not successful ones.

Another anecdote is that even non-compromised accounts that were not regularly used had on average 4 failed attempts before a successful login with password recovery used in more than 50% of these cases, to the point where the majority of all login attempts were failed attempts.

The “compromised” accounts were identified by using information form fraud detection services and accounts that did not complete a password recovery after multiple failed attempts as well as a few other indicators.

While I understand your skepticism you need to understand just how common this issue is.

When hackers/fraudsters get any set of credentials from a leak or phishing they try it on 100’s if not 1000’s of sites multiply it by the number of fraudsters and hacking groups that sell login details in bulk and it’s essentially the spam of the internet world.

[daxorid]

Data point of one incoming. I work in ecommerce. 90% seems stupid low, based on our data.

A couple years ago we were seeing a dozen or so successful login requests per minute against a background of ~40 unsuccessful requests per second.

We were forced to implement rate-limiting on logins, which has resulted in more than a few customer service headaches. But it's now the reality of online retail.

[graystevens]

I'll add another data point, from the consumer telecoms industry. 90% feels way too high from what we had to head with, even prior to implementing rate-limiting and other defences.

We ended up tracking actors as they switched up their techniques to evade us and our defences, and ended up learning a lot about credential stuffing, the tools involved and some of the motives behind them attacking lesser-known websites. We ended up blogging about our findings, should anyone else have to deal with this cat and mouse fun: https://breachinsider.com/blog/2017/credential-stuffing-how-...

[kevstev]

I worked at a very large e-commerce player, these numbers jive with my experience. Most people have their password saved in their browser, or get it right the first time. Maybe they screw up a few times, whatever. They may even have to reset, but they are in now, and you won't see a bad attempt from them for awhile.

Then you have Mr. Hacker, who is just going to spam the crap out of you until you actively stop him. If he is not so smart, he will go all in and try to brute force you from a single box as fast as he can. Smarter guys will rate limit themselves, even smarter guys will use botnets and VPNs. At this point time is on their side, they can just spray and pray, and even diversify their attempts by not just focusing on amazon.com, but hitting amazon, then target, then ebay, etc... you can now still be making whatever number of attempts per second, but fly under the radar (hopefully) of rate limiters and such.

Rate limiters and other counter measures help, but the point is that the bad guys are going to just keep trying and trying, while typical user flow is at most a few attempts. These attacks are almost always from overseas, particularly Russia, and so they have little fear of consequences.