Hackers trying to maliciously access customer accounts are responsible for the vast majority of login attempts with online retailers, a shocking new report has revealed.
Security experts discovered 90 per cent of login attempts on e-commerce sites are from cyber criminals attempting to access customers’ account and payment details.
Banks (58 per cent) and airlines (60 per cent) are also highly targeted by hackers.
Cyber criminals attempt to gain access to an online account by flooding it with email and passwords leaked in previous data breaches – a practice known as ‘credential stuffing’.
Those who use the same combination of email address and password across multiple online services are likely to fall victim to this type of attack.
The US consumer banking industry alone faces nearly £38.4 million ($50 million) per day in potential losses from such credential stuffing attacks, says Shape, the Mountain View, California-based firm that conducted the research.
Scroll down for video
Cyber criminals account for the vast majority of login attempts at online retailers. A computer security firm has discovered that 90 per cent of these login attempts are from hackers, and the banking and airline industry are also under fire
According to the report, frequent flyer mile systems are also targeted, as these often aren’t afforded the same sophisticated protection as financial accounts.
Criminals are using usernames and passwords stolen in previous online hacks and sold on the dark web to attempt to gain access to the online accounts.
This technique is known as ‘credential stuffing’ and is can be successful up to three per cent of the time, the researchers claim.
The e-commerce sector spends around £4.6bn ($6bn) a year on such fraud payments, with the hotel and airline businesses suffering losses too.
According to Shape, the US consumer banking industry alone faces nearly £38.4 million ($50 million) per day in potential losses from these attacks.
After taking into account fraud prevention, actual losses are estimated to be £3.8 million ($5 million) per day, or around £1.3bn ($1.7bn) per year.
Hackers who gain access to customer accounts often purchase gift cards and electronic gadgets.
According to Shape, hackers will also use stolen credentials to break into online grocery accounts to buy high-priced cheese and then resell it to restaurants for cash, with the £153 per pound ($200 per pound) Wyke Farms cheddar a popular choice.
WHAT IS CREDENTIAL STUFFING AND HOW DOES IT PUT YOUR ONLINE ACCOUNTS AT RISK?
Hackers can obtain breached credentials, like usernames and passwords, on the Dark Web – often for free.
Most people reuse the same credentials for multiple accounts they hold online, which means that once one account is breached, others may be vulnerable.
Cyber criminals can use software tools to test combinations of credentials in a highly automated bulk effort.
Successful logins allow them to take advantage of services, stored credit card numbers and other personal information.
The best defence against this type of attack is to use a unique password for each site you have an account with.
There are various password management applications that can help you to keep track of all of these details in a secure manner.
You can also check whether any of your accounts have been breached using the website Have I Been Pwned.
Shape says that frequent flyer miles or similar schemes are not protected with security measures as sophisticated as financial accounts, which is costing businesses a combined £540 million ($700 million) every year.
Once obtained, the airline miles are often sold to shady brokers who buy award points from hotels and airlines.
After transferring the loyalty points to the broker, the thief is then transferred payment via PayPal, according to Shape.
The brokers then sell these on to travel agencies, who use them to offer discounted tickets for business and first class tickets.
‘Criminals harvest usernames and passwords from data breaches and test them on every website and mobile app imaginable,’ Shape said in its report.
Shape was co-founded ex-Pentagon employees and security contractors. Data spills are commonplace, with 51 reported last year. At a rate of one a week, that means 2.3 billion credentials were compromised over the course of a year.
Some of the most high-profile data spills took place at Equifax and Yahoo, however, other sites, including a Lady Gaga fan page, were also exploited.
The report also found pornography and adult websites reported no security breaches, but it is possible they have simply not been reported yet.
According to the report, it can take up to 15 months for an intrusion to be discovered. It add that while cyber-security may be improving, the amount of total breaches has remained stable since 2016.
As well as fewer data spills taking place, they are becoming smaller in size and exposing the information of fewer people, experts say.
To help avoid falling victim to such schemes, people are urged to follow simple password guidelines that include mixing up passwords and changing them regularly.
WHAT ARE THE MOST COMMON PASSWORDS OF 2017?
A recent survey has unearthed the most common passwords and what people are most likely to use.
They found a trend, with certain things emerging as the most common passwords.
People have a tendency to find password inspiration from their love life, common brands, pop culture and even champions league football teams.