Bad bots, credential stuffing and denial of service attacks are among the security threats retailers can expect to face during the busy holiday season. Here are some tips on how to protect your customers and your online business from cyber threats.

Renny Shen, director of product marketing, Akamai

The growth and evolution of the World Wide Web over the past 30 years has been a boon for retailers—offering unrivaled convenience and now, in the age of AI, endless opportunities for targeted communications and personalized marketing.

With all of this, however, comes great security risk. A whopping 50 percent of U.S. retailers reported being breached in the past year, and 75 percent of U.S. retailers have fallen victim to at least one breach in the past.

Aside from the financial fallout and brand damage to retailers’ themselves, shoppers can also pay the price—from personal or financial data being leaked to a poor web or mobile app shopping experience—if cybersecurity threats are not properly managed.

From May to December 2018 hackers leveraged bots to conduct credential abuse attacks against retail sites more than 10 billion times.

Let’s explore some of the biggest cyber threats to retailers and their shoppers this holiday season, and critical steps retailers can take to combat these threats while optimizing the shopper experience.


Beware the bots

The term “bot” covers a wide range of types and uses, good and bad. Starting with the good, many retailers rely on bots to optimize internet search engines so that they rank “above” competitors when consumers search for a particular product, e.g. “men’s brown leather dress shoes” or “women’s trail running sneakers.”

On the other hand, credential stuffing is one use case for bots that involves malicious activity. Here, attackers employ botnets to attempt to log into a target site—by leveraging stolen login credentials—in order to assume an identity, gather critical customer data and/or make fraudulent transactions.

Separating the good bots from the bad becomes increasingly difficult amid peak traffic periods, like the holiday season. Data from May to December 2018 shows that hackers leveraged bots to conduct credential abuse attacks against retail sites more than 10 billion times, making retail the most targeted segment at that time. A

Additionally, hackers made 30 billion attempts last year to log into sites using stolen usernames and passwords. Credential stuffing attacks are doubly damaging to retailers because they can result in site downtime as IT teams deal with the issue, or long-term reputational damage if user data is in fact stolen and their payment information is used to make fraudulent charges.

It’s critical that retailers develop a smart method to monitor, identify and block malicious bot activity. Detection and mitigation tools, along with skilling up website and application teams with an eye toward security are absolutely imperative, especially during peak traffic moments.


DDoS damage

A distributed denial-of-service attack, or DDoS attack, is an attempt to overwhelm a website with traffic from multiple sources—sometimes from hundreds or thousands of devices across the internet—in order to render it unavailable to users. Given that the overall goal of a DDoS attacker is to create an outage or slowdown of a website, web application, web API or network, DDoS attacks have become more frequent in the retail space over the years as brands increasingly move more applications and business processes online.

The consequences of a DDoS attack can be significant for retailers, especially when you consider that   its purpose is to cause downtime for minutes, hours or days—ultimately preventing legitimate users from buying products, using a service or getting information from a retailer’s site. It’s also important for retailers to keep in mind that DDoS attacks often ramp up in December, during the holiday shopping rush when retailers make the most revenue, in order to cause the greatest amount of harm.

To mitigate DDoS threats and attacks, retailers should look to adopt cloud-based solutions that offer built-in scalability and global reach to defend against most common types of DDoS attacks. They should also consider adding a defense layer that protects the Domain Name Server from being overloaded and compromised by DDoS attacks, which allows websites to stay “live” and available to consumers without rerouting traffic or impacting performance.

The people problem

Retailers who want to shore up their business from a cyber incident should also focus on taking active steps to address the issues related to their customers’ passwords and other stored data. This starts with protecting login pages from credential stuffing attacks. However, recognize that fraudsters perform credential stuffing attacks because they work, and the problem will not go away until users change their own behavior.

Retailers should consider offering password strength assessments and/or require multi-factor authentication for shoppers when they are signing up for a new account on their website or mobile app. Unfortunately, creating and updating strong passwords is ultimately up to shoppers themselves, but ongoing guidance and education can go a long way in preventing a cyber incident.


Additionally, retailers should look for tools that give them the ability to centrally store and protect customer data across their web and mobile properties, and monitor and block suspicious activity. Customer identity and access management solutions allow retailers to focus on using customer data to positively impact the user experience, such as sending out promotions to users on their birthdays or offering discounts on items that shoppers’ have left in their shopping cart for more than 24 hours. However, retailers should ensure that it comes with robust data protection capabilities.

The cost of neglecting security management during the holidays can be disastrous for some retailers and irreparable for others. As the threat landscape continues to evolve, these are just a few of the top threats and strategies retailers must keep in mind when it comes to securing their sites and apps this holiday season. Threats and online traffic will spike as we get closer to the holidays, putting retailers and their shoppers at risk.

However, placing a focus on managing bots, DDoS attacks and shoppers’ login credentials and personal data put retailers in a better position to identify and mitigate malicious activity before it impacts their site visitors.

Akamai Technologies provides content delivery network services to 345 of the 1,000 leading online retailers in North America as ranked In the Internet Retailer 2019 Top 1000.