Australian etailers’ reality check on Account Takeover Threat
Australian e-commerce retailers (etailers) have been put on notice by the fallout from an apparent account takeover (ATO) campaign that targeted one of their own. If their focus on cybersecurity and anti-fraud mechanisms wasn't already sharpened by the general goings-on in the broader business environment, it surely is now.
The incident, of course, isn't an isolated one but a continuation of a pattern of attacks against retailers and e-commerce providers worldwide.
These attacks are often automated and abuse some of the key technological building blocks that form a crucial part of e-commerce service delivery.
An indispensable component in this technological framework is the application programming interfaces or APIs. APIs have infiltrated every part of the e-commerce chain. They deliver browsing or search results to customers seeking information on prospective purchases; they verify inventory status at the click of a mouse, loading a digital shopping cart; and they generate the checkout process, complete with credit card validation and email and shipping confirmation of purchase.
Some APIs are built by e-tailers themselves; others are produced by third parties as a way for their services to be integrated into an existing e-commerce delivery chain. These additional services often enable new features to be delivered to customers or the addition of anti-fraud checks and balances. But they also expand the size and attack surface of the e-commerce environment, and the risks of APIs being exploited as a doorway into the environment - or abused to extract valuable data - need to be mitigated.
Importantly, attacks and abuse of APIs by threat actors and bots don't happen only to e-tailers with sub-optimal security settings. Securely coded apps and APIs are also subjected to attacks and business logic abuse.
Attacks can lead to account takeover, which sees the attack carried out against log-in APIs and can lead to card or points theft, fraudulent purchases, or items being resold for profit. Or it might result in content scraping for attack reconnaissance or data exfiltration purposes. APIs are used to call inventory and pricing databases, enabling the extraction of the desired content, such as pricing, part numbers, and product descriptions.
Whatever the goal of the attackers, e-tailers must remain one step ahead in detecting and stopping attackers from compromising their APIs.
Detection and mitigation across the e-commerce chain
A common way that e-tailers try to detect the real buyers from the bots is by using firewalls and volumetric anomaly detectors. These look for automated threats by analysing entropy, which is the unpredictability and variance of human behaviour. However, they are ineffective when traffic to an e-tailer's website surges, such as during big sales events. In addition, bots adapt quickly, so even if detection worked at the start, the attackers often retool and try to identify ways to bypass defences.
E-tailers can increase their efficacy by understanding their end-to-end e-commerce service delivery chain and analysing each stage for opportunities to detect and mitigate against an attack.
These stages span from when product/s are placed in the shopping cart to when the order is placed to the order confirmation. At each point, e-tailers should have the capability to verify the authenticity of the purchaser and investigate or block their purchase using bot detection and API protection integrated with the backend e-commerce systems. This is known as the e-commerce kill chain.
To mask their entry to an e-commerce site, bot-driven attacks will rotate through different IP addresses that are harvested and sold on the black market. This is effectively the reconnaissance stage which sees the attacker repeatedly try different doors to gain entry. Consequently, many bots go unnoticed at this stage because the e-tailer can't identify the suspect IP address quickly enough to prevent the next stage of the attack.
The use of a captcha as a method to distinguish between bots and humans is commonly employed by retailers. However, it is acknowledged that this approach often falls short and contributes to user frustration. Interestingly, it has been humorously suggested that there may be more captchas solves on traffic lights than the actual number of traffic lights in the world, emphasising the ubiquity and sometimes exasperating nature of these challenges.
In the context of e-commerce, the challenge for retailers is to find a balance between preventing bot activity and ensuring a smooth and frictionless buying process for genuine customers. Some retailers turn to user registration as a means of adding an extra layer of security. However, this strategy has its limitations, as bots can exploit various methods to create accounts, such as farming email addresses
or generating fake accounts through keyboard smashing––a process where random characters are used to create fake email addresses.
While monitoring registrations can help identify and mitigate fraudulent acivities to some extent, the evolving sophistication of bots requires continuous innovation in security measures. Retailers need to adopt comprehensive strategies that go beyond traditional methods to safeguard against automated threats while minimising any negative impact on the user experience.
If a bot has managed to evade detection thus far, the product will be added to the online shopping cart. At this point, the e-tailer again could lock the account, effectively buying time to check the legitimacy of the purchase. However, this is likely to frustrate genuine customers, so it makes more sense to request the user to reauthenticate using two-authentication from the supplied email address. If no authentication is made, the cart can be deleted, and it's also possible to prevent the bot from adding the same item to a new cart.
If things have proceeded smoothly up to this point and the bot remains undetected, the order will be placed, and an order confirmation will be issued. But even at this late stage, there is still the opportunity to block the bot. Interrogating the purchase orders using bot defence machine learning to look for anomalies can enable fake orders to be identified, triggering the system to issue an 'order cannot be processed' email.
Taking down automated bot-driven attacks is imperative. The e-commerce kill chain shows how this can be done, provided the e-tailer is able to monitor their site traffic effectively.