For entrepreneurs and business managers, the world is their oyster. Unfortunately, however, risks abound. Businesses big and small now need to take cybersecurity threats seriously. This is true even for brick-and-mortar businesses. Whether you sell online or in-person, more and more data is being stored online and hackers are now gunning to steal as much of it as they can. Enumeration attacks, in particular, have emerged as a grave threat.
We’ll take a closer look at what these attacks are, why merchants need to watch out for them, and also what you can do to protect your organization. Cyber attacks can damage brands, drive up fraud and chargebacks, and may result in fines, legal complications, and other headaches. When it comes to cybersecurity, fraud, and chargebacks, prevention is typically the best approach.
What Are Enumeration Attacks?
Enumeration attacks are a type of brute force attack. When you think of hackers, your mind might first conjure up brilliant individuals writing complex code and software that can infiltrate security systems and tear them apart from the inside. Certainly, these hackers exist, but often cyber criminals use more basic techniques.
With an enumeration attack, which is also referred to as credential stuffing, hackers simply use trial and error to test out login credentials and other bits of data. A 2021 study by Verizon found that over 60% of data breaches involved credential data.
Hackers often target user login pages and password reset pages. Indeed, Verizon also found that 95% of organizations reported between 637 and 3.3 billion malicious login attempts per year. Some criminals are also using enumeration attacks to target credit card CVVs and other payment details. If a criminal can guess the right password or Card Verification Value, they may be able to make unauthorized purchases or conduct other types of criminal activity.
Automation Can Fuel Fraud
Enumeration attacks may sound like hard work, but these days, it’s relatively easy to code a “bot” or software program that will carry out the attacks automatically. Plugging in random email addresses and passwords manually take a long time and might not be profitable for the hackers. Yet just as automation software is streamlining various business processes, automated tools can do the tedious work for hackers.
Bots can be sent to login pages for online shopping websites where they’ll try various passwords and email addresses. Sometimes the attacks are completely random. Other times, hackers find lists of potential passwords and email addresses for sale on the so-called dark web. If a hacker gets a list of customer user names for a particular merchant, for example, they can set up a bot to plug in those usernames and try commonly used passwords. Even if only 1 in a thousand attempts works, it could quickly turn out profitable for the hacker.
Besides targeting end users, hackers may also try to brute force their way into employee login systems. Once inside your internal systems, they may be able to steal sensitive data (e.g. customer credit cards).
Why Merchants Should Care
Enumeration attacks can cause myriad issues. We’ve outlined some of the most serious threats below, but this list isn’t exhaustive.
-
Brand damage- Bad publicity and not protecting consumers may lead to people avoiding your business.
-
Chargebacks- If hackers use stolen payment data, businesses could end up hit with chargebacks. This will result in lost revenues, chargeback fees, and potentially lost inventory.
-
Stolen money- In some cases, brute force attacks allow hackers to access money more directly. Stolen company data could lead to hackers raiding your organization’s financial accounts, for example.
-
Expensive litigation- Organizations that fail to protect data could be dragged into court. Some class action lawsuits have resulted in huge settlements with government authorities and consumers.
How Merchants Can Counter Enumeration Attacks and Fraud
A strong approach to cybersecurity can go a long way for companies and organizations of any size. We’ve outlined some tips below.
Multi-Factor Identification
These days, passwords aren’t enough. Users are often lax with protecting them and may pick easy to guess credentials. Multifactor identification requires the user to submit their password and to use another form of identification. They might be e-mailed a code which they then have to plug in to a form online, for example. So even if hackers uncover a password, if they don’t have access to the user’s e-mail, they won’t be able to log in.
Ensure Your Payment Gateway Supports 3D Secure
Payment gateways that support 3D Secure will require users to take an additional step to prove their identity. When users go to check out, they will be prompted to provide their Verified by Visa or MasterCard SecureCode. In some jurisdictions, authorities have been pushing for strong customer identification, which includes 3D Secure.
Use Captcha and Other Bot Protections
CAPTCHA tests can stop bots. CAPTCHA will require users to perform simple tasks, like identifying pictures, to prove that they are human. Simple bots struggle with such tasks. If bots can be stopped, enumeration attacks can be stopped. Unfortunately, AI may reduce the effectiveness of simple CAPTCHA systems, but cybersecurity experts are working to stay ahead with more advanced tests and other measures.
Monitor Transactions
It’s smart to keep an eye on transactions to watch for unusual patterns. You might see rising chargebacks, for example, which could suggest rampant fraud. You can also set up alerts for multiple failed login attempts and then force cool down periods in which users must wait before trying to log back in.
Rate Limiting
You can limit how many transactions can be placed for a particular IP address within a given time frame. You might also monitor for suspicious IP addresses, such as addresses associated with VPNs or international IP addresses.
Use Tokenization
Tokenization replaces a piece of data, say a credit card number, with a digitalized representation. This obfuscates sensitive data, making it harder to steal. That said, hackers have been working on ways to crack tokenization, including with brute force methods.
Educate Your Staff and Users
A strong cybersecurity culture will make it more likely that staff will notice suspicious activity. For example, teaching both employees and users the importance of strong passwords can protect against brute force attacks. You can require long passwords with multiple letters, numbers, and symbols, and other tools will block easy-to-guess passwords.
Fighting Cybercrime and Fraud is Now a Necessity
Brute force attacks can lead to chargebacks, fines, and other costs. Phishing campaigns can also be used to steal login credentials, no brute force needed. Stolen credit cards, either physical or digital, can be used to make unauthorized purchases, thus producing chargebacks and other headaches. There are many different threats merchants should be aware of. Fortunately, the right tools and protocols can make it easier to fight crime, chargebacks, and more.