[ggggtez]

Why would you think 90% is high? That's only 9 in 10. Remember, attackers using dictionary attacks are going to be trying hundreds or thousands of log in attempts, and a real user is only going to try at most a handful of times.

You don't need that many attackers to easily approach 99% or higher. I'd say 90% is likely conservative for some companies.

[jhinra]

I think 90% is high for a few reasons:

1) Rate limiting of login attempts takes a bite out of the large numbers you're talking about. If we are only looking at retail companies without rate limiting, well, duh, I guess >90% makes sense, but I expect a large portion of the global e-commerce retail segment _does_ employ rate limiting of logins.

2) The report lists, "Averages derived from customers’ login traffic before Shape Enterprise Defense was deployed on login applications" - so this is absolutely a biased sample. These are clients that signed up for help stopping this problem.

3) It bugs me how ambiguous the report is about how they aggregate to 90%. I worry it's a simple [total fraudulent logins] / [total login attempts] across all their client retailers, which will be heavily biased by the retailers that don't have login limiting, and doesn't really describe the situation. A much better number I'd like is the median percentage of fraudulent logins attempts across retailers.

[jsoverson]

1) Proxies and botnets obscure origin and make attacks appear globally distributed so basic rate limiting has little effect on these attacks.

2) Extrapolated averages on incomplete data are certainly suspect, they are meant to be taken with a grain of salt and are most applicable to people in the affected industries for them to validate against their own data. FWIW The highest percentage of malicious, automated traffic that I've seen has been 99% which, yes, is crazy and should sound unbelievable.

3) Noted, definitely. It is certainly a tough number to nail down because it is very dependent on all the things you mention. I trust our data because we've been at this the longest, were the earliest, and we see a lot of the unadulterated attack traffic that has gotten through many existing defenses so we see the stark difference on day one.

Disclaimer: I contributed to the report in question (but was not consulted or related to the posted article)

[thunfischbrot]

Most legitimate users will also not have to log in each time they visit, making the ratio even less surprising.

[ggggtez]

I think an important thing is that you should consider that attackers will log in at the maximum rate limit allowed. The traffic may even be greater than the rate limit, and they'll have some requests dropped by the server. But it still represents and attempted login regardless.

So, yes, even with rate limiting, you can still easily hit 99% fradulent attempts. Obviously you'd be foolish to actually process all of those, and likely the attackers would realize they were rate limited and would slow down for their own best interest, but it's not a guarantee that they actually do obey the rate limit.