Retailers face relentless credential stuffing attacks, typically comprising 80-90 percent of their traffic. In fact, one luxury retailer experienced 99 percent attack traffic on their login page in 2017. Credential stuffing against retail web properties is very lucrative for cybercriminals for two key reasons.
First, retail websites are designed to cause as little friction as possible for customers. Due to the emphasis onuser experience, retailers are reluctant to impose any security measure that could lead a customer to abandon their cart, whether it be two-factor authentication or email confirmations required for account changes.
Second, credential stuffing attackers have benefited from the rise in omnichannel services. One of the biggest opportunities for fraud is the gap between online and offline retail created by omnichannel services. Fraudsters can use hijacked online accounts to more easily monetize previously stolen merchandise from physical storefronts, as well as purchase merchandise online which they then monetize in stores.