[kevstev]

I worked at a very large e-commerce player, these numbers jive with my experience. Most people have their password saved in their browser, or get it right the first time. Maybe they screw up a few times, whatever. They may even have to reset, but they are in now, and you won't see a bad attempt from them for awhile.

Then you have Mr. Hacker, who is just going to spam the crap out of you until you actively stop him. If he is not so smart, he will go all in and try to brute force you from a single box as fast as he can. Smarter guys will rate limit themselves, even smarter guys will use botnets and VPNs. At this point time is on their side, they can just spray and pray, and even diversify their attempts by not just focusing on amazon.com, but hitting amazon, then target, then ebay, etc... you can now still be making whatever number of attempts per second, but fly under the radar (hopefully) of rate limiters and such.

Rate limiters and other counter measures help, but the point is that the bad guys are going to just keep trying and trying, while typical user flow is at most a few attempts. These attacks are almost always from overseas, particularly Russia, and so they have little fear of consequences.