|
|
|
|
|
|
by jhinra
2892 days ago
|
|
|
I think 90% is high for a few reasons: 1) Rate limiting of login attempts takes a bite out of the large numbers you're talking about. If we are only looking at retail companies without rate limiting, well, duh, I guess >90% makes sense, but I expect a large portion of the global e-commerce retail segment _does_ employ rate limiting of logins. 2) The report lists, "Averages derived from customers’ login traffic before Shape Enterprise Defense was deployed on login applications" - so this is absolutely a biased sample. These are clients that signed up for help stopping this problem. 3) It bugs me how ambiguous the report is about how they aggregate to 90%. I worry it's a simple [total fraudulent logins] / [total login attempts] across all their client retailers, which will be heavily biased by the retailers that don't have login limiting, and doesn't really describe the situation. A much better number I'd like is the median percentage of fraudulent logins attempts across retailers. |
|
|
2) Extrapolated averages on incomplete data are certainly suspect, they are meant to be taken with a grain of salt and are most applicable to people in the affected industries for them to validate against their own data. FWIW The highest percentage of malicious, automated traffic that I've seen has been 99% which, yes, is crazy and should sound unbelievable.
3) Noted, definitely. It is certainly a tough number to nail down because it is very dependent on all the things you mention. I trust our data because we've been at this the longest, were the earliest, and we see a lot of the unadulterated attack traffic that has gotten through many existing defenses so we see the stark difference on day one.
Disclaimer: I contributed to the report in question (but was not consulted or related to the posted article)