Last year, I made five predictions regarding web security for 2021. I predicted stronger cybercrime communities and collaborations between them, which we saw, and I predict we will continue to see this in the coming year. As I forecasted, the increased adoption of GraphQL (a query language for APIs designed by Facebook) has led to more risk. I correctly predicted growing bot attacks on hype sales (a targeted marketing instrument that is used to increase the incentive to buy coveted items), and indeed, this past year saw advanced sophistication and overall growth in attacks and tools built to target these coveted items.
I also forecasted that the DevSecOps function would become mainstream. Though it isn't mainstream yet, trends suggest that it is surely advancing in that direction. Lastly, I speculated that “Buy Online Pickup In-Store” (BOPIS) would become one of the fastest-growing types of fraud activities. Though it is a vehicle for fraud, it wasn't at the level I thought it might be since many e-commerce merchants adopted safer authentication and verification methods to address this risk. Now, let's look at the predictions I have for the coming year.
1. Priority to prevent supply chain attacks will increase
SolarWinds, the software company that primarily deals in systems management tools used by IT professionals, was hacked in December 2020, and was one of the biggest and most damaging supply chain attacks in recent history. The attack affected up to 18,000 organizations, including Microsoft and the U.S Government. Nobelium, the hacker group behind the SolarWinds attack, doesn't plan to take a break from hacking anytime soon. In late 2021, CNBC reported that Nobelium has “been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain.”
The SolarWinds attack reminded us that shoring up software supply chains is critical to ensuring data protection and that no one — not even the government — is guaranteed to be safe. According to a recent survey, 92% of website decision-makers lack complete visibility into their software supply chains. Getting this visibility will be a top priority for companies aiming to protect their users’ data, avoid a major data breach and dodge massive regulatory fines in 2022 and beyond.
2. Over 50% of the largest 100 marketplaces will be hit by custom malware
In June 2021, researchers discovered a 1.2-terabyte database of stolen data. The information was collected from 3.2 million Windows-based computers by custom malware — code designed to cause disruption — that spread via compromised versions of Adobe Photoshop, pirated games, and Windows cracking tools. Included in the database were 6.6 million files, 26 million credentials and 2 billion web login cookies, 400 million of which were still valid at the time of the database’s discovery.
Custom malware is inexpensive and readily available on the dark web. Attack tools are becoming commoditized and expert services are more widely offered by different hacker communities, making custom malware much more accessible and easier to build. Over the last year, I have detected multiple cases of such custom malware targeting my own customers. Because of its low barrier to entry and high potential to yield results, custom malware will become a more popular attack vector in 2022.
3. Digital businesses will focus more attention on addressing the post-login wasteland
Traditional security solutions designed to prevent account takeover (ATO) attacks generally focus on one primary activity: login. They ask for credentials, serve up CAPTCHAs and, where possible, leverage multi-factor authentication (MFA) to verify that the right credentials are being used. Unfortunately, account fraud is not that simple to prevent. Once an account has successfully been accessed, downstream checks often do not exist. I call this the “post-login wasteland.” In 2022, I expect online businesses to adopt solutions that address this issue. Meaning, understanding if a user is indeed who they say they are — and if their post-login activity is legitimate — will be key to maintaining accounts’ integrity. The key to solving this problem is to better analyze user sessions and behaviors and build more accurate profiles of whether users are who they say they are. A solution might recognize anomalous behavior patterns like accessing account data directly after login from a new device to identify possible instances of personally identifiable information (PII) harvesting.
4. Fraud will have a material impact on the earnings per share (EPS) of a public company
Recent research has shown that bots can negatively impact 75% to 80% of operational costs for online retailers, which translates to between 18% and 23% of net revenue. When fraud begins to impact earnings per share, it will act as a wake-up call for businesses to become more proactive to implement protective software solutions. This goes beyond payment fraud; fraud can be used in transferring funds, emptying gift cards, and opening new credit applications. In 2022, businesses will come to recognize fraud at every entry point along the digital journey and will adopt solutions that can mitigate this risk.
5. At least one large retailer will abandon user/password verification and transition to password-less or device-based authentication
The 2021 Verizon Data Breach Investigations Report (DBIR) found that 61% of this year’s data breaches involved credential data. Moreover, fraudsters no longer have to go to great lengths to get them. There are a variety of easy ways to obtain usernames, passwords, and other personal information. Bad actors can purchase billions of credentials for as little as $2 and test them in automated credential stuffing attacks. This means it is now a greater priority to prevent not only the theft of credentials but also their validation and fraudulent use.
Many enterprises have already enabled identity management solutions, single sign-on and password-less verification to make credentials obsolete. After all, bad actors cannot steal your password if you do not have one. I predict that in 2022, a few consumer-based businesses will begin to follow suit and eliminate the need for credentials altogether by adopting stronger solutions that do not solely rely on credentials.
Looking ahead to 2022
To sum up, 2022 will be the year that security and business leaders will recognize just how varied fraud is. Digital businesses will go beyond the granular focus on one type of attack versus another, and instead, ensure that the integrity of their customers’ accounts and identities are protected at every stage of their online journey. This means adopting platforms that continuously learn and evolve in real-time to detect and stop the abuse of identity and account information on the web. Enabling comprehensive account protection will be the only way to fight fraud on all fronts.
Written by Ido Safruti, Co-Founder and CTO, PerimeterX