Requiring shoppers to log into a retailer’s e-commerce site with a user name and password isn’t enough to guarantee that consumers’ stored personal information stored will be safe from criminals, says Julie Conroy, research director at business, technology and financial services research firm Aite Group LLC.
While Payment Card Industry (PCI) Data Security Standards—a set of rules created by payment card networks to protect cardholder data—have reduced fraud by requiring retailers to encrypt any payment card data they hold, criminals have begun turning to an easier information target: account log-ins, she says.
“It is easier for criminals to breach user names and passwords than card data because of PCI,” she says. “PCI hasn’t required anything to encrypt the log-in credentials—those are valuable.”
A criminal that obtains a shopper’s user name and password can use it to sign onto her account at a retailer’s site and make phony purchases. He may also be able to obtain other informationsuch as addresses and phone numbers, and possibly change account data, such as a shipping address, so that parcels are delivered to the criminal. Plus, the user name/password combination might work at other e-commerce sites. “A lot of consumers use the same credentials across all their online relationships,” Conroy says.
Every retailer should consider themselves a target, Conroy says. “Just as we see from a scamming perspective that the bad guys go after the big merchants and the small merchants, database breach is the same,” she says.
For example, she points to the recent account takeover attack on daily-deal operator LivingSocial, which in April compromised 50 million user credentials, including names, e-mail addresses, date of birth and some passwords, the retailer says. Because some shoppers use the same credentials at other sites, those types of takeovers can put other retailers at risk.
To prevent this type of fraud, retailers need to treat log-in credentials like other sensitive payment information by encrypting them and adding further layers of security, Conroy says. For example, merchants can use device fingerprinting—data that identify individual PCs, phones or tablets—to verify a user’s identity.
Behavioral pattern recognition is another effective way to screen web site visitors at the log-in stage, Conroy says. That technology tracks a site visitor’s activities and determines if it seems suspicious—for example, if the user name and password are entered faster than a human could reasonably type or if the clicks around the site are particularly erratic and nonsensical before the user tries to log in, she says.
“Basically the user name-password combination is useless as an authentication mechanism now,” she says.