<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Peakhour.IO - Fraud Prevention</title><link href="https://www.peakhour.io/" rel="alternate"></link><link href="https://www.peakhour.io/feeds/tag/fraud-prevention.atom.xml" rel="self"></link><id>https://www.peakhour.io/</id><updated>2026-06-19T00:00:00+10:00</updated><entry><title>API Protection and Account Protection Are One Request-Path Problem</title><link href="https://www.peakhour.io/blog/api-protection-account-protection-request-path/" rel="alternate"></link><published>2026-06-19T00:00:00+10:00</published><updated>2026-06-19T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-06-19:/blog/api-protection-account-protection-request-path/</id><summary type="html">&lt;p&gt;Account protection does not stop at the login form. The same request path carries API, bot, rate, token, and account-risk evidence, and that is where the decision needs to happen.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Account protection is often discussed as if it belongs to the login page. That made sense when most account abuse looked like someone submitting a username and password into a web form.&lt;/p&gt;
&lt;p&gt;That is not how modern account journeys work.&lt;/p&gt;
&lt;p&gt;A customer signs in through a browser, a mobile app, a partner integration, a password reset flow, a token refresh endpoint, a profile update request, a checkout API, and sometimes a service-to-service call that exists nowhere in the visible front end. The account is not protected by one screen. It is protected, or exposed, by the whole request path.&lt;/p&gt;
&lt;p&gt;That is why &lt;a href="/products/api-security/"&gt;API security&lt;/a&gt; and account protection should not be treated as separate operating problems. The API route, the identity context, the client evidence, the rate pattern, the token behaviour, the bot signal, and the account action all arrive together. Splitting those signals across disconnected tools makes the final decision weaker.&lt;/p&gt;
&lt;h2&gt;The Login Is Only the Start&lt;/h2&gt;
&lt;p&gt;Credential stuffing is the obvious example. Attackers test leaked credentials against login endpoints, but the useful outcome is rarely the login itself. The value comes after the session opens.&lt;/p&gt;
&lt;p&gt;They try to change the email address. They add a shipping address. They reset a password. They check stored cards. They redeem loyalty value. They place an order. They call account APIs that were built for the real customer journey and then abuse them in a different sequence.&lt;/p&gt;
&lt;p&gt;If the login defence is separate from the API defence, the organisation may see only fragments:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;A spike in failed logins in one dashboard.&lt;/li&gt;
&lt;li&gt;A suspicious token refresh pattern somewhere else.&lt;/li&gt;
&lt;li&gt;A burst of profile-change requests in application logs.&lt;/li&gt;
&lt;li&gt;A fraud case after checkout.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Each of those is useful. None is the full story.&lt;/p&gt;
&lt;p&gt;The better model is to keep the decision close to the request. A request to &lt;code&gt;/login&lt;/code&gt; is different from a request to &lt;code&gt;/account/email&lt;/code&gt;, &lt;code&gt;/checkout/payment&lt;/code&gt;, or &lt;code&gt;/api/token/refresh&lt;/code&gt;. The route matters. So does the method, the session state, the previous failures, the network, the client evidence, and the account action being attempted.&lt;/p&gt;
&lt;h2&gt;APIs Carry Account Risk&lt;/h2&gt;
&lt;p&gt;APIs are not just developer plumbing. They are where many account journeys now happen.&lt;/p&gt;
&lt;p&gt;Mobile apps use APIs for login, registration, password reset, saved addresses, payment methods, and checkout. Single-page applications call APIs behind browser journeys. Partner systems may call account or order APIs directly. Internal services may use API keys or service credentials that function like non-human accounts.&lt;/p&gt;
&lt;p&gt;That creates a practical issue: account protection must cover both human and non-human identity paths.&lt;/p&gt;
&lt;p&gt;OAuth, JWTs, API keys, refresh tokens, and service credentials all need lifecycle control, least-privilege access, rotation, validation, and monitoring. But those controls are still not enough if the protected API cannot see whether the request is behaving like abuse.&lt;/p&gt;
&lt;p&gt;A valid token can be stolen. A valid API key can be overused. A real session can be driven by automation. A known customer can suddenly perform a high-risk action from a first-seen client through proxy infrastructure.&lt;/p&gt;
&lt;p&gt;The request has to be judged in context.&lt;/p&gt;
&lt;h2&gt;Rate Limiting Has to Follow Business Logic&lt;/h2&gt;
&lt;p&gt;Basic rate limiting often starts with an IP address. That is an understandable first step, but it is not enough for account protection. Attackers rotate through proxy networks. Legitimate users may share a carrier or office IP. Some attacks are low and slow enough that no single IP looks exceptional.&lt;/p&gt;
&lt;p&gt;For account journeys, rate limiting needs to be tied to the thing being protected.&lt;/p&gt;
&lt;p&gt;Login attempts can be counted differently from password resets. Token refreshes can be counted differently from product searches. A failed authentication response can be treated differently from a normal read request. A route hit by a first-seen client can be treated differently from one used by a known browser session.&lt;/p&gt;
&lt;p&gt;That is the point of &lt;a href="/solutions/api-protection/"&gt;API protection&lt;/a&gt; as an operating layer, not just an API inventory exercise. The route, schema, authentication state, bot signal, and rate key should be available to the same decision. Otherwise teams end up writing compensating rules in several systems and hoping the gaps line up.&lt;/p&gt;
&lt;h2&gt;The Edge Decision Needs Options&lt;/h2&gt;
&lt;p&gt;Not every suspicious request should be blocked. Some should be logged. Some should be rate limited. Some should be challenged. Some should be allowed because the business impact of a false positive is worse than the risk presented by that specific request.&lt;/p&gt;
&lt;p&gt;Account protection is strongest when the action matches the journey.&lt;/p&gt;
&lt;p&gt;A login request with weak risk signals might be allowed but watched. A password reset request with stronger signals might require step-up. A checkout attempt from a newly compromised session might be blocked or reviewed. A partner API key exceeding expected usage might be throttled without affecting normal customers.&lt;/p&gt;
&lt;p&gt;Peakhour's position here is simple: API, bot, WAF, rate, and account controls work better when they share request evidence. That can run on Peakhour Edge, or it can sit beside the CDN and cloud edge already in place through &lt;a href="/solutions/bring-your-own-edge/"&gt;bring your own edge&lt;/a&gt;. The important part is not the label on the component. It is whether the request path has enough context to make the right decision.&lt;/p&gt;
&lt;h2&gt;Account Protection Is a Journey Control&lt;/h2&gt;
&lt;p&gt;A useful account protection programme should be able to answer operational questions.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Which routes are involved in account takeover attempts?&lt;/li&gt;
&lt;li&gt;Which sessions moved from suspicious login behaviour into account changes?&lt;/li&gt;
&lt;li&gt;Which tokens or API keys are behaving outside their expected pattern?&lt;/li&gt;
&lt;li&gt;Which controls created friction, and where?&lt;/li&gt;
&lt;li&gt;Which blocked requests actually protected account, checkout, or recovery actions?&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Those questions cannot be answered from a login form alone. They require API visibility, account-event context, rate data, bot signals, and reviewable evidence.&lt;/p&gt;
&lt;p&gt;That is the thesis of this series: API protection and account protection are one request-path problem. The account is compromised through a sequence of requests. The defence needs to see that sequence early enough to act.&lt;/p&gt;
&lt;p&gt;For teams already working on &lt;a href="/solutions/use-case/prevent-account-takeovers/"&gt;account takeover prevention&lt;/a&gt;, the next step is not simply adding another login prompt. It is connecting the account journey to the API routes that now carry it.&lt;/p&gt;</content><category term="API Security"></category><category term="API Security"></category><category term="Account Protection"></category><category term="Bot Management"></category><category term="Rate Limiting"></category><category term="Threat Detection"></category><category term="Fraud Prevention"></category></entry><entry><title>The Real Cost of Breached Credentials</title><link href="https://www.peakhour.io/blog/cost-of-breached-credentials/" rel="alternate"></link><published>2026-06-19T00:00:00+10:00</published><updated>2026-06-19T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-06-19:/blog/cost-of-breached-credentials/</id><summary type="html">&lt;p&gt;Breached credentials keep creating cost after the original breach. They feed credential stuffing, account takeover, fraud, support, and reputation costs across login, recovery, checkout, and API flows.&lt;/p&gt;</summary><content type="html">&lt;p&gt;The cost of breached credentials is usually counted in the wrong place.&lt;/p&gt;
&lt;p&gt;When an organisation suffers a data breach, the obvious costs are incident response, legal work, notification, customer support, remediation, and regulatory attention. Those costs matter. IBM's &lt;a href="https://www.ibm.com/reports/data-breach"&gt;2025 Cost of a Data Breach Report&lt;/a&gt; puts the global average breach cost at about USD 4.4 million. IBM's &lt;a href="https://www.ibm.com/think/topics/data-breach"&gt;data breach explainer&lt;/a&gt; also says stolen or compromised credentials were one of the top five initial attack vectors in the 2025 report, accounting for 10% of breaches and taking up to 186 days to identify.&lt;/p&gt;
&lt;p&gt;But that is only the first bill.&lt;/p&gt;
&lt;p&gt;Once usernames and passwords leave the original system, they do not stay attached to the original incident. They are copied, sorted, bundled, tested, resold, and mixed with other personal data. Another company's breach becomes your login problem. A password reused somewhere else becomes your fraud queue, your support call, your chargeback, your locked account, your angry customer, and your next security review.&lt;/p&gt;
&lt;p&gt;That is the real cost of breached credentials: not just the breach, but the long tail of account abuse that follows.&lt;/p&gt;
&lt;h2&gt;The Roundup: Breaches Are Feeding Account Abuse&lt;/h2&gt;
&lt;p&gt;The numbers are not subtle.&lt;/p&gt;
&lt;p&gt;The Identity Theft Resource Center's &lt;a href="https://www.idtheftcenter.org/post/2025-annual-data-breach-report-record-number-compromises/"&gt;2025 Annual Data Breach Report&lt;/a&gt; tracked 3,322 data compromises in 2025, a record high and a 79% increase over five years. The same report found that 70% of breach notices did not include attack information, making it harder for consumers and downstream businesses to understand what risk they now carry.&lt;/p&gt;
&lt;p&gt;The ITRC also introduced a category it calls Previously Compromised Data: old stolen data that is repackaged and recirculated. In the &lt;a href="https://www.idtheftcenter.org/wp-content/uploads/2026/01/2025-ITRC-Annual-Data-Breach-Report.pdf"&gt;full report&lt;/a&gt;, the ITRC says there were four major PCD releases in 2025, including two incidents involving roughly 16 billion records with no known notices. Its warning is the important part: while this may not be "new" stolen data, aggregation makes it highly effective for credential stuffing and account takeover attacks.&lt;/p&gt;
&lt;p&gt;That matches the operational pattern security teams see on login endpoints. &lt;a href="https://owasp.org/www-community/attacks/Credential_stuffing"&gt;OWASP describes credential stuffing&lt;/a&gt; as automated testing of stolen username and password pairs against login forms. The reason it works is boring and persistent: people reuse passwords. Attackers do not need to breach your site if a customer has already reused a working credential somewhere else.&lt;/p&gt;
&lt;p&gt;For Australian organisations, the local signals are just as relevant. The OAIC received &lt;a href="https://www.oaic.gov.au/news/blog/latest-notifiable-data-breach-statistics-for-january-to-june-2025"&gt;532 Notifiable Data Breach notifications&lt;/a&gt; between January and June 2025, with malicious or criminal attacks remaining the largest source of notifications. ASD's &lt;a href="https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025"&gt;Annual Cyber Threat Report 2024-25&lt;/a&gt; notes that its credential exposure notification process proactively sent 9,587 credential exposure events to about 220 organisations between 19 November 2024 and 30 June 2025.&lt;/p&gt;
&lt;p&gt;None of that means every fraud loss starts with a reused password. It does mean credential exposure is part of the operating environment. Attackers have supply, tooling, proxy infrastructure, and plenty of places to turn account access into money.&lt;/p&gt;
&lt;p&gt;The FBI's &lt;a href="https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf"&gt;2025 IC3 report&lt;/a&gt; gives useful context for that monetisation path. Cyber-enabled fraud accounted for 452,868 complaints and USD 17.697 billion in reported losses. Those losses include many crime types, not just credential stuffing, but the transaction paths are familiar to anyone dealing with account abuse: wire and ACH transfers, cards, peer-to-peer transfers, prepaid and gift cards, and cryptocurrency.&lt;/p&gt;
&lt;h2&gt;Where the Cost Actually Lands&lt;/h2&gt;
&lt;p&gt;A breached credential is cheap for the attacker and expensive for everyone else.&lt;/p&gt;
&lt;p&gt;The first cost is detection. A login using the right username and password does not automatically look malicious. If the attacker spreads attempts across residential proxy infrastructure, uses one attempt per account, or targets mobile API endpoints directly, simple IP-based rate limits may not see the pattern. Peakhour has written about this in &lt;a href="/blog/credential-stuffing-threat-australian-businesses/"&gt;The Australian epidemic of Account Takeover attacks&lt;/a&gt; and in &lt;a href="/blog/credential-stuffing-after-the-login/"&gt;Credential Stuffing Does Not Stop at the Login Form&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;The second cost is fraud. Once a credential works, the attacker looks for value: stored cards, gift cards, loyalty points, refunds, store credit, subscription changes, delivery addresses, and saved payment flows. This is why account takeover is not just an authentication problem. The expensive moment may be checkout, not login.&lt;/p&gt;
&lt;p&gt;The third cost is support. Customers do not usually know whether the original password leak happened somewhere else. They know their account was used, their card was charged, their loyalty balance disappeared, or their email address changed. The business still has to handle the support ticket, freeze the account, unwind the transaction, review the evidence, and explain what happened.&lt;/p&gt;
&lt;p&gt;The fourth cost is trust. We have covered this before in &lt;a href="/blog/credential-stuffing-business-impact/"&gt;The Cost of Credential Stuffing&lt;/a&gt;: the reputational damage is practical. Customers see refunds, account locks, suspicious messages, and public complaints. Even if the business was not the source of the original breach, it becomes the place where the harm is felt.&lt;/p&gt;
&lt;p&gt;The fifth cost is friction. If the only response is to challenge everyone, the business pays through abandonment and customer frustration. If the response is too soft, the business pays through fraud. The work is to apply friction where the evidence justifies it.&lt;/p&gt;
&lt;h2&gt;You Do Not Need Surveillance to Secure Accounts&lt;/h2&gt;
&lt;p&gt;There is a bad version of account protection that tries to identify people everywhere they go. That is not necessary, and it is not the right model for this problem.&lt;/p&gt;
&lt;p&gt;Credential abuse defence should be scoped to the account security decision in front of you. Is this login using a known exposed credential pair? Is the session coming from suspicious infrastructure? Is it a first-seen device for the account? Is it trying to change email, reset the password, add a payout method, redeem stored value, or check out with saved payment details? Did the same client pattern just test many accounts?&lt;/p&gt;
&lt;p&gt;Those questions can be answered with security-specific signals, not advertising-style tracking. Hash the credential check. Treat &lt;a href="/blog/fingerprints-are-evidence-not-identity/"&gt;fingerprints as evidence, not identity&lt;/a&gt;. Keep the evidence tied to the protected account and request path. Use network, device, route, behaviour, and credential-risk context to decide whether to allow, step up, throttle, block, or review. Do not build a cross-site identity graph when the job is to stop account abuse on your own service.&lt;/p&gt;
&lt;p&gt;That distinction matters. Users should not have to trade privacy for basic account security. Businesses also do not need to choose between doing nothing and adding blanket friction. &lt;a href="/solutions/use-case/contextual-security/"&gt;Contextual security&lt;/a&gt; is useful because it lets the response match the risk.&lt;/p&gt;
&lt;h2&gt;What Teams Should Measure&lt;/h2&gt;
&lt;p&gt;If breached credentials are a business cost, measure them like one.&lt;/p&gt;
&lt;p&gt;Useful measures include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;How many login attempts match known breached credential pairs.&lt;/li&gt;
&lt;li&gt;How many breached-credential attempts result in a successful login.&lt;/li&gt;
&lt;li&gt;Which routes see the risk: login, password reset, email change, stored-card checkout, gift card redemption, account recovery, mobile API, partner API, or admin access.&lt;/li&gt;
&lt;li&gt;How often high-risk sessions move from login into sensitive account actions.&lt;/li&gt;
&lt;li&gt;Which signals appear together: breached credential, residential proxy, first-seen device, unusual geography, repeated failure, rapid checkout, or recovery-flow pressure.&lt;/li&gt;
&lt;li&gt;How many support tickets, refunds, chargebacks, account locks, and fraud reviews are linked to account takeover.&lt;/li&gt;
&lt;li&gt;How many controls create customer friction, and whether that friction is landing on risky sessions or ordinary customers.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This does not need to be perfect on day one. The important step is to stop treating credential stuffing as a vague security category and start treating it as an observable account-risk workflow.&lt;/p&gt;
&lt;h2&gt;The Control Pattern&lt;/h2&gt;
&lt;p&gt;The control pattern is layered.&lt;/p&gt;
&lt;p&gt;Start with &lt;a href="/products/breached-credentials/"&gt;breached credential scanning&lt;/a&gt; so reused or exposed credentials are visible at login. Feed that signal into &lt;a href="/solutions/use-case/prevent-account-takeovers/"&gt;account takeover prevention&lt;/a&gt; rather than treating it as a standalone report. Add &lt;a href="/products/bot-management/"&gt;bot management&lt;/a&gt; and &lt;a href="/products/advanced-rate-limiting/"&gt;advanced rate limiting&lt;/a&gt; so automation and distributed testing are harder to run at scale. Use &lt;a href="/products/residential-proxy-detection/"&gt;residential proxy detection&lt;/a&gt; as a risk signal, especially where attackers are trying to make automated traffic look like normal customer traffic.&lt;/p&gt;
&lt;p&gt;Then carry the risk forward after login.&lt;/p&gt;
&lt;p&gt;A low-risk page view and a saved-card checkout should not inherit the same level of trust just because the password worked. A session that begins with a breached credential match, comes through suspicious infrastructure, and immediately changes the email address or redeems stored value deserves a different response from a known customer browsing order history.&lt;/p&gt;
&lt;p&gt;The response can be graduated:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Log low-risk activity for visibility.&lt;/li&gt;
&lt;li&gt;Tighten rate limits on suspicious automation.&lt;/li&gt;
&lt;li&gt;Require step-up verification before sensitive account changes.&lt;/li&gt;
&lt;li&gt;Hold or review risky transactions.&lt;/li&gt;
&lt;li&gt;Notify the customer when high-risk account changes are attempted.&lt;/li&gt;
&lt;li&gt;Block sessions when the evidence is strong enough.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;That is how breached credential data becomes useful. It is not a panic button. It is a signal that helps decide when trust should be earned again.&lt;/p&gt;
&lt;h2&gt;The Practical Takeaway&lt;/h2&gt;
&lt;p&gt;Breached credentials are not only a breach-response issue. They are an account protection issue, a fraud issue, a support issue, and a customer trust issue.&lt;/p&gt;
&lt;p&gt;The original breach may have happened somewhere else. The cost can still land on your login form, your checkout, your API, and your support team.&lt;/p&gt;
&lt;p&gt;The goal is not to make every login difficult. The goal is to make stolen credentials harder to turn into account control, money movement, stored-value abuse, or customer harm.&lt;/p&gt;
&lt;p&gt;That starts by making credential risk visible, connecting it to session and route context, and applying proportionate controls where the cost would otherwise show up.&lt;/p&gt;</content><category term="Account Protection"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Breached Credentials"></category><category term="Fraud Prevention"></category><category term="Bot Management"></category><category term="API Security"></category><category term="Residential Proxies"></category></entry><entry><title>Credential Stuffing Does Not Stop at the Login Form</title><link href="https://www.peakhour.io/blog/credential-stuffing-after-the-login/" rel="alternate"></link><published>2026-06-19T00:00:00+10:00</published><updated>2026-06-19T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-06-19:/blog/credential-stuffing-after-the-login/</id><summary type="html">&lt;p&gt;Credential stuffing risk continues after a password works. Account protection needs to watch password reset, email change, stored payment, gift card, and checkout flows.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Credential stuffing is usually described as a login problem. An attacker takes breached username and password pairs, tests them against a site, and tries to find accounts where people reused passwords.&lt;/p&gt;
&lt;p&gt;That description is accurate, but incomplete. The login is only the first gate. The real damage often happens in the flows that follow a successful login: password reset, email change, saved cards, loyalty balances, gift cards, account recovery, address changes, and checkout.&lt;/p&gt;
&lt;p&gt;If account protection only watches the login form, it can miss the part of the attack that matters most to the business.&lt;/p&gt;
&lt;p&gt;A successful credential stuffing attempt does not always look dramatic. The attacker may have valid credentials. They may come through residential proxy infrastructure. They may spread attempts across many IP addresses. They may slow the attack down to stay below simple thresholds. If the site treats a valid username and password as the end of the risk decision, the attacker inherits whatever the account can do.&lt;/p&gt;
&lt;p&gt;That is why &lt;a href="/solutions/use-case/prevent-account-takeovers/"&gt;account takeover prevention&lt;/a&gt; needs to cover account actions, not just authentication.&lt;/p&gt;
&lt;h2&gt;The Attack Continues After the Password Works&lt;/h2&gt;
&lt;p&gt;Once an attacker is inside an account, they usually want persistence, value, or both.&lt;/p&gt;
&lt;p&gt;A password reset or password change can lock the real customer out. An email change can move alerts, receipts, and recovery messages away from the owner. A phone number change can weaken later verification. A new shipping address can redirect physical goods. Stored payment methods can turn account access into immediate fraud. Gift cards, store credits, loyalty points, and refunds can be easier to monetise than a card transaction.&lt;/p&gt;
&lt;p&gt;Checkout is often where the compromise becomes visible, but the risk builds earlier. A login from unfamiliar infrastructure followed by a profile change, then a saved-card purchase, is different from a returning customer browsing previous orders. A dormant account that suddenly redeems gift cards, changes email, and ships to a new address deserves more scrutiny than an ordinary login.&lt;/p&gt;
&lt;p&gt;These flows are also common in APIs. Mobile apps, single-page applications, partner integrations, and checkout backends expose account actions through endpoints that may not share the same controls as the web login page. Attackers do not care whether the valuable step is behind &lt;code&gt;/login&lt;/code&gt;, &lt;code&gt;/api/account/email&lt;/code&gt;, or &lt;code&gt;/checkout/payment&lt;/code&gt;. They follow the path that works.&lt;/p&gt;
&lt;h2&gt;Breached Credentials Are a Risk Signal&lt;/h2&gt;
&lt;p&gt;&lt;a href="/products/breached-credentials/"&gt;Breached credential&lt;/a&gt; checks are useful because they add context before the account is fully trusted. If a credential pair is known to have appeared in a breach, the site can treat the session differently from the start.&lt;/p&gt;
&lt;p&gt;That does not mean every breached credential attempt should be handled the same way. A user may be genuinely logging in with a reused password. An attacker may be testing a combo list. A customer may be returning after a long period away. The point is to make the risk visible and carry it through the session.&lt;/p&gt;
&lt;p&gt;Peakhour has written before about &lt;a href="/blog/breached-credentials-protection-application-security-platform/"&gt;managing breached credential usage&lt;/a&gt;. The practical lesson is that credential risk should feed the wider account protection decision. A breached credential signal should be considered alongside client evidence, network context, request rate, route sensitivity, behaviour, and the action being attempted.&lt;/p&gt;
&lt;p&gt;A low-risk page view and a stored-card checkout should not inherit the same confidence just because both follow a successful login.&lt;/p&gt;
&lt;h2&gt;MFA Helps, But It Does Not Close Every Path&lt;/h2&gt;
&lt;p&gt;Multi-factor authentication remains useful. It can stop many direct account takeover attempts and raise the cost of abuse. But &lt;a href="/blog/why-mfa-is-an-incomplete-defence/"&gt;MFA is not a complete defence&lt;/a&gt; when attackers use social engineering, session theft, weak recovery flows, trusted devices, or post-login actions that do not require step-up verification.&lt;/p&gt;
&lt;p&gt;The better pattern is adaptive control. Let the login succeed when the evidence is low risk. Step up when the action matters. Ask for stronger verification before changing the email address, adding a new payout method, redeeming a stored balance, or checking out with saved payment details from an unfamiliar context.&lt;/p&gt;
&lt;p&gt;This is not about adding friction everywhere. It is about reserving friction for the points where compromise turns into loss.&lt;/p&gt;
&lt;h2&gt;What to Monitor After Login&lt;/h2&gt;
&lt;p&gt;The useful signals are operational and specific:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Credential risk at login, including known breached username and password pairs.&lt;/li&gt;
&lt;li&gt;New client, browser, or network evidence on an existing account.&lt;/li&gt;
&lt;li&gt;Password reset, password change, email change, and phone change attempts.&lt;/li&gt;
&lt;li&gt;New shipping addresses, payment method changes, stored-card use, gift card redemption, and loyalty balance activity.&lt;/li&gt;
&lt;li&gt;Sudden changes in behaviour, such as rapid checkout after login or repeated account recovery attempts.&lt;/li&gt;
&lt;li&gt;API routes that perform sensitive account actions without the same scrutiny as browser flows.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The response should match the confidence and consequence. Some events only need logging. Some need tighter rate limits. Some need a browser challenge, MFA step-up, temporary hold, customer notification, or review.&lt;/p&gt;
&lt;p&gt;Credential stuffing defence is not finished when a password works or fails. The more useful question is: what does this session try to do next, and does the evidence justify trusting it?&lt;/p&gt;
&lt;p&gt;For account protection, that is the line that matters.&lt;/p&gt;</content><category term="API Security"></category><category term="API Security"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Bot Management"></category><category term="Breached Credentials"></category><category term="Fraud Prevention"></category></entry><entry><title>Anatomy of a Credential Stuffing Attack</title><link href="https://www.peakhour.io/blog/anatomy-of-a-credential-stuffing-attack/" rel="alternate"></link><published>2025-09-01T00:00:00+10:00</published><updated>2025-09-01T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-09-01:/blog/anatomy-of-a-credential-stuffing-attack/</id><summary type="html">&lt;p&gt;A deep dive into how credential stuffing attacks work, the tools used, and how to build a multi-layered defense.&lt;/p&gt;</summary><content type="html">&lt;p&gt;In early 2024, major Australian retailer &lt;a href="/blog/account-takeover-fraud-theiconic/"&gt;The Iconic&lt;/a&gt; was hit by a widespread account takeover attack. Fraudsters used stolen credentials to log into customer accounts, place orders with stored credit cards, and ship goods to different locations. The incident caused significant reputational damage and financial loss, forcing the company to issue refunds and publicly address the security breach.&lt;/p&gt;
&lt;p&gt;This attack wasn't the result of a direct hack on The Iconic's systems. It was a classic case of &lt;strong&gt;&lt;a href="/blog/credential-stuffing-business-impact/"&gt;credential stuffing&lt;/a&gt;&lt;/strong&gt;: an automated attack that works because people reuse passwords across services. This article breaks down how credential stuffing works, the attacker's toolkit, the business impact, and the controls that make it harder to run at scale.&lt;/p&gt;
&lt;h2&gt;What is Credential Stuffing?&lt;/h2&gt;
&lt;p&gt;Credential stuffing is an automated attack where malicious actors use lists of stolen usernames and passwords—often obtained from third-party data breaches—to gain unauthorised access to user accounts on other websites. The attack works because many users recycle the same password across multiple online services. If a password for a user's social media account is leaked, attackers will "stuff" that same email and password combination into the login forms of e-commerce sites, banking portals, and other high-value targets.&lt;/p&gt;
&lt;p&gt;Because attackers submit valid credentials, even though they are stolen, these login attempts can be difficult to distinguish from genuine user activity. That makes credential stuffing harder for traditional security controls to spot.&lt;/p&gt;
&lt;h2&gt;The Attacker's Toolkit&lt;/h2&gt;
&lt;p&gt;Modern credential stuffing is not a manual process. Attackers use a mature set of tools and resources to automate and scale their campaigns:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Automation Software&lt;/strong&gt;: Tools like &lt;a href="/blog/the-rise-of-openbullet/"&gt;OpenBullet&lt;/a&gt; are central to these attacks. OpenBullet is a powerful, open-source web testing suite that allows even non-programmers to create complex attack scripts. Attackers can find or create "configs" that tell the software exactly how to interact with a target website's login form.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Breached Credential Lists&lt;/strong&gt;: Dark web markets carry massive databases of usernames and passwords harvested from data breaches. These "combo lists" are the raw material for credential stuffing attacks and can be purchased for very little cost.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Proxy Networks&lt;/strong&gt;: To avoid being blocked, attackers distribute their login attempts across thousands or even millions of IP addresses. They often use residential proxy networks, which route traffic through the internet connections of real home users. This can make malicious traffic appear to come from legitimate customers, weakening IP-based blocking and rate limiting.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;The Business Impact&lt;/h2&gt;
&lt;p&gt;The consequences of a successful credential &lt;a href="/learning/bots/anatomy-of-credential-stuffing-attack/"&gt;stuffing attack&lt;/a&gt; extend beyond the login event:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Direct Financial Loss&lt;/strong&gt;: As seen with The Iconic, attackers can make fraudulent purchases, drain loyalty points, or transfer funds, leading to direct financial losses and the cost of refunding customers.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Damage to Brand Reputation&lt;/strong&gt;: Publicly reported breaches erode customer trust. Users who have been defrauded may share their negative experiences on social media, leading to lasting reputational harm.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Loss of Customer Trust&lt;/strong&gt;: When customers believe their accounts are not secure, they may abandon the platform altogether, leading to customer churn and a decline in lifetime value.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Operational Costs&lt;/strong&gt;: Responding to an attack involves significant operational overhead, including customer support time, fraud investigation, and new security measures.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Building a Multi-Layered Defense&lt;/h2&gt;
&lt;p&gt;Stopping automated attacks requires a defence strategy that goes beyond simple password policies. A modern, multi-layered approach should include:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Advanced Bot Protection&lt;/strong&gt;: The first step is to distinguish bots from humans. Modern &lt;a href="/products/bot-management/"&gt;bot management&lt;/a&gt; uses techniques like network and browser fingerprinting, proxy context, route behaviour, and behavioural analysis to detect automated login attempts, even when they mimic human behaviour.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Check Credentials Against Breach Databases&lt;/strong&gt;: Proactively check usernames and passwords used in login attempts against comprehensive databases of known breached credentials. If a credential pair is known to be compromised, you can flag the login for additional verification or alert the user to change their password.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Advanced Rate Limiting&lt;/strong&gt;: Traditional IP-based rate limiting struggles against distributed attacks. Advanced rate limiting groups requests by more stable identifiers, such as a TLS fingerprint, which can remain consistent even as an attacker rotates through thousands of IP addresses. This helps track and block a single malicious actor launching a distributed attack.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Enforce Multi-Factor Authentication (MFA)&lt;/strong&gt;: MFA is not a silver bullet, but it provides a critical layer of security by requiring a second form of verification. Websites should strongly encourage or enforce MFA, especially for sensitive actions like changing account details or making purchases.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;For production teams, the useful bot-management view ties those controls together on the login path. Credential exposure, residential proxy evidence, fingerprints, request rate, response codes, and session changes should feed one decision about whether to allow, challenge, rate limit, block, or review the attempt.&lt;/p&gt;
&lt;p&gt;By combining these controls, organisations can make credential stuffing harder to scale, protect user accounts, and reduce the business risk when attackers test stolen credentials.&lt;/p&gt;</content><category term="Security"></category><category term="Credential Stuffing"></category><category term="Account Protection"></category><category term="Fraud Prevention"></category><category term="Residential Proxies"></category><category term="DNS"></category><category term="Threat Detection"></category></entry><entry><title>How to Use Bot Management for IAM Use Cases</title><link href="https://www.peakhour.io/blog/bot-management-for-iam-use-cases/" rel="alternate"></link><published>2025-08-20T00:00:00+10:00</published><updated>2025-08-20T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-08-20:/blog/bot-management-for-iam-use-cases/</id><summary type="html">&lt;p&gt;Bots are part of account takeover, fraud, scraping, and other abuse. Identity and access management leaders need a clear business case for bot management, or their organisations face avoidable account takeover losses and will be less prepared for the risks introduced when customers use AI agents.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Automated attacks against identity and access management (IAM) systems are now a routine account protection problem. Malicious bots drive account takeovers (ATO), credential stuffing, brute-force login attempts, and fake account creation. As these attacks adapt, traditional IAM controls such as password policies and even multi-factor authentication (MFA) are not enough on their own.&lt;/p&gt;
&lt;p&gt;Identity and access management leaders should treat &lt;a href="/products/bot-management/"&gt;bot management&lt;/a&gt; as part of the IAM control set, not a separate website security add-on. A dedicated capability helps reduce avoidable financial and reputational losses from account compromise. It also gives organisations a way to manage the risks created as AI agents become regular users of web applications and APIs.&lt;/p&gt;
&lt;h2&gt;Introduction&lt;/h2&gt;
&lt;p&gt;Some estimates suggest &lt;a href="/learning/bots/bot-traffic/"&gt;nearly half of all traffic is automated&lt;/a&gt;. That mix matters: useful crawlers and monitoring tools are part of normal internet traffic, but malicious automation is built to test web applications at scale. IAM systems, which control access to sensitive user accounts and data, are a primary target.&lt;/p&gt;
&lt;p&gt;The most common &lt;a href="/learning/bots/bot-attacks/"&gt;bot attacks&lt;/a&gt; targeting IAM include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href="/learning/bots/anatomy-of-credential-stuffing-attack/"&gt;Credential Stuffing&lt;/a&gt;&lt;/strong&gt;: Attackers use lists of stolen usernames and passwords from third-party data breaches to gain unauthorised access to user accounts. This attack vector is effective because password reuse is still common.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Brute-Force Attacks&lt;/strong&gt;: Automated scripts guess passwords for known usernames, often targeting login endpoints for platforms like WordPress and Magento.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Fake Account Creation&lt;/strong&gt;: Bots create fraudulent accounts at scale, which can be used for spam, malware distribution, or to abuse promotional offers.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Recent attacks on major Australian retailers like &lt;a href="/blog/account-takeover-fraud-theiconic/"&gt;The Iconic&lt;/a&gt; and Dan Murphy's show the practical impact. These incidents, driven by credential stuffing, resulted in reputational damage and financial loss, forcing the companies to issue refunds and publicly address security concerns.&lt;/p&gt;
&lt;h2&gt;Analysis&lt;/h2&gt;
&lt;p&gt;Defending IAM systems starts with why common controls fall short and where bot management adds useful signal.&lt;/p&gt;
&lt;h3&gt;Why Traditional IAM Defences Fail&lt;/h3&gt;
&lt;p&gt;Attackers have adapted their techniques to bypass legacy security controls. Simple IP-based rate limiting and reputation lists struggle against the combination of &lt;a href="/blog/bots-residential-proxies-anti-detect-browsers/"&gt;residential proxies and anti-detect browsers&lt;/a&gt;:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Residential Proxies&lt;/strong&gt;: Attackers route their traffic through large networks of IP addresses belonging to real residential internet connections. This makes malicious traffic appear legitimate and allows attackers to bypass IP-based blocking and geolocation restrictions. Our own tests show that even leading IP intelligence services &lt;a href="/blog/anti-fraud-residential-proxy-detection/"&gt;fail to detect the vast majority of residential proxy traffic&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Anti-Detect Browsers&lt;/strong&gt;: These specialised browsers allow attackers to spoof their digital fingerprints, mimicking legitimate user devices and browser configurations. This weakens many JavaScript-based challenges and fingerprinting techniques.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Used with automation suites like OpenBullet, these tools let attackers run "low and slow" distributed attacks that blend into normal traffic. For more information on these tools, see our guide to &lt;a href="/blog/enterprise-bot-management-application-security/"&gt;enterprise bot management&lt;/a&gt;.&lt;/p&gt;
&lt;h3&gt;The Flawed Logic of CAPTCHA&lt;/h3&gt;
&lt;p&gt;For years, &lt;a href="/learning/bots/captcha/"&gt;CAPTCHA&lt;/a&gt; has been the default way to distinguish humans from bots. It is now a weak control when used on its own. Our research shows that visible CAPTCHAs have a &lt;a href="/blog/the-negative-impact-of-captchas-on-ecommerce-conversions"&gt;severe negative impact on user experience and conversions&lt;/a&gt;. Studies have found that CAPTCHAs can reduce form conversions by up to 40%, as frustrated users abandon purchases or sign-ups.&lt;/p&gt;
&lt;p&gt;Modern bots can also &lt;a href="/blog/captcha-conundrum-frustrating-humans-easy-for-bots/"&gt;solve CAPTCHAs with high accuracy&lt;/a&gt;, often more effectively than humans, by using CAPTCHA-solving farm services. Relying on CAPTCHA alone creates friction for legitimate users while providing a false sense of security. Modern bot management uses invisible challenges and behavioural analysis to validate users without disrupting their session.&lt;/p&gt;
&lt;h3&gt;Modern Bot Management Capabilities for IAM&lt;/h3&gt;
&lt;p&gt;An &lt;a href="/blog/key-considerations-effective-bot-management/"&gt;effective bot management&lt;/a&gt; solution provides a multi-layered defence that goes beyond simple signatures. Key capabilities include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Advanced Rate Limiting&lt;/strong&gt;: Instead of relying on IP addresses, modern solutions group requests using more stable identifiers like TLS/HTTP2 fingerprints, device characteristics, or a combination of headers. This helps detect distributed attacks from a single malicious tool, even as it rotates through thousands of IPs.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href="/blog/mtu-fingerprinting-vpn-mobile-detection/"&gt;Network and Device Fingerprinting&lt;/a&gt;&lt;/strong&gt;: By analysing the unique characteristics of a client's TCP and TLS implementation, it is possible to identify the underlying software making the request, regardless of the user-agent header. This helps distinguish between real browsers and automated scripts.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Behavioural Analysis&lt;/strong&gt;: Systems can model normal user behaviour—such as mouse movements, typing speed, and page navigation—to identify anomalies that indicate automation.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href="/learning/threat-detection/what-is-residential-proxy-detection/"&gt;Residential Proxy Detection&lt;/a&gt;&lt;/strong&gt;: Specialised techniques are required to identify traffic coming from residential proxy networks, which is a strong indicator of malicious intent.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Breached Credential Integration&lt;/strong&gt;: By checking login attempts against databases of known breached credentials, security teams can apply additional scrutiny to high-risk authentication events.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Together, these controls give IAM teams more useful decision points than an IP address, a password check, or a CAPTCHA challenge alone.&lt;/p&gt;
&lt;h2&gt;The Next Frontier&lt;/h2&gt;
&lt;p&gt;The next major change in automated traffic is agentic AI. As reasoning models like &lt;a href="/blog/residential-proxies-deepseek/"&gt;DeepSeek become more accessible&lt;/a&gt;, we are entering an era where &lt;a href="/learning/bots/llm-web-scrapers/"&gt;AI agents are becoming primary consumers&lt;/a&gt; of APIs and web applications.&lt;/p&gt;
&lt;p&gt;These are not just the rigid scripts of the past. AI agents can reason, plan, and adapt their behaviour in real-time based on a system's responses. They can analyse an entire API surface in seconds and generate complex interaction patterns that human developers would be unlikely to try manually.&lt;/p&gt;
&lt;p&gt;This creates a harder IAM problem. Bot management has usually looked for patterns that differ from normal human behaviour. AI agents can make those patterns less reliable by imitating user behaviour while still operating at machine speed. The line between human and &lt;a href="/learning/bots/bot-management/"&gt;automated traffic&lt;/a&gt; blurs.&lt;/p&gt;
&lt;p&gt;IAM leaders need bot management solutions that can adapt to this shift. The future of bot management will not only be about blocking bots; it will also be about deciding which automated agents are acceptable, under what conditions, and with which controls. This requires a shift from static, rule-based security to contextual analysis that understands and adapts to agent behaviour, distinguishing between legitimate AI assistants and malicious ones. Organisations that wait until agent traffic is common will have less time to distinguish useful automation from AI-driven attacks.&lt;/p&gt;</content><category term="Security"></category><category term="Bot Management"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="API Security"></category><category term="Threat Detection"></category><category term="Fraud Prevention"></category></entry><entry><title>A Complete Guide to SMS Pumping Fraud</title><link href="https://www.peakhour.io/blog/sms-pumping-fraud-business-impact-protection/" rel="alternate"></link><published>2025-03-13T14:00:00+11:00</published><updated>2025-03-13T14:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-03-13:/blog/sms-pumping-fraud-business-impact-protection/</id><summary type="html">&lt;p&gt;SMS pumping fraud cost businesses $6.7 billion in 2021. Learn how these sophisticated attacks work, which companies face the highest risk, and the most effective protection strategies.&lt;/p&gt;</summary><content type="html">&lt;h2&gt;The Growth of SMS Fraud&lt;/h2&gt;
&lt;p&gt;SMS pumping fraud is a costly online abuse pattern, with global losses reaching an estimated $6.7 billion in 2021 alone. It targets companies that rely on SMS for verification or customer communications, leaving them to pay for traffic they did not request.&lt;/p&gt;
&lt;p&gt;The scheme relies on malicious actors and dishonest telecom operators working together to generate and monetise large volumes of fraudulent text messages. For businesses caught in these schemes, the financial impact can be severe. Twitter (now X) reportedly lost $60 million to this type of fraud.&lt;/p&gt;
&lt;p&gt;This guide explains how SMS pumping works, which businesses face the highest risk, and the controls your organisation can use to reduce exposure.&lt;/p&gt;
&lt;h2&gt;&lt;strong&gt;Understanding SMS Pumping Fraud&lt;/strong&gt;&lt;/h2&gt;
&lt;p&gt;SMS pumping (also called SMS toll fraud, SMS spamming, or Artificially Inflated Traffic) involves manipulating mobile networks to inflate charges for text messages. The term "pumping" describes fraudsters forcing high SMS volume through a target's systems.&lt;/p&gt;
&lt;p&gt;This fraud exploits how SMS messages travel and get billed across phone networks. Attackers target companies that use SMS codes to verify users. Each time a business sends a verification code, it pays a fee. Fraudsters trigger these systems to send thousands of messages to numbers they control.&lt;/p&gt;
&lt;p&gt;These attacks create direct costs for businesses and revenue for the attackers. The fraud works through coordination between criminals and corrupt telecom operators, who charge premium rates for message delivery and share the proceeds.&lt;/p&gt;
&lt;p&gt;The fraud has changed as more businesses have adopted SMS verification. Attackers keep developing new methods, and the phone industry has not removed the risk. Many companies still carry the financial exposure.&lt;/p&gt;
&lt;h2&gt;&lt;strong&gt;How SMS Pumping Works&lt;/strong&gt;&lt;/h2&gt;
&lt;p&gt;SMS pumping attacks usually exploit message systems through these steps:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Finding Targets&lt;/strong&gt;: Attackers look for websites or apps that send SMS codes for account verification or password resets.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Creating Fake Requests&lt;/strong&gt;: Fraudsters use automation to send thousands of code requests to phone numbers they own or control.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Hiding Their Tracks&lt;/strong&gt;: Attackers change their IP addresses and device information so requests appear to come from real users.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Sharing Profits&lt;/strong&gt;: Fraudsters work with dishonest phone companies that charge high fees when messages pass through their networks. These companies then share the money with the attackers.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Using Complex Routes&lt;/strong&gt;: Messages travel through many networks before reaching their destination, making the source of the fraud harder to trace.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Targeting Expensive Routes&lt;/strong&gt;: Attackers focus on international numbers where sending messages costs more or where rules are weaker.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;These attacks look legitimate because each message contains a real code sent to what appears to be a normal phone number. Companies like &lt;a href="https://twilio.com"&gt;Twilio&lt;/a&gt; or &lt;a href="https://bird.com"&gt;Bird&lt;/a&gt; must pay fees to deliver these messages. Most businesses only find out about the fraud when a large bill arrives from their SMS service.&lt;/p&gt;
&lt;p&gt;SMS pumping differs from basic spam because the profit-sharing between attackers and phone companies creates a direct cost for the target business.&lt;/p&gt;
&lt;h2&gt;&lt;strong&gt;Businesses at Risk&lt;/strong&gt;&lt;/h2&gt;
&lt;p&gt;SMS pumping is most likely to affect these types of businesses:&lt;/p&gt;
&lt;h3&gt;&lt;strong&gt;Financial Institutions&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;Banks, investment platforms, and cryptocurrency exchanges use SMS codes to protect accounts. These firms send thousands of codes each day, which makes it hard to spot fake requests mixed with real ones.&lt;/p&gt;
&lt;h3&gt;&lt;strong&gt;E-commerce Platforms&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;Online shops use SMS messages when users create accounts, reset passwords, or make purchases. These businesses often run on small profit margins, so extra SMS costs can hurt their earnings. High volumes of new users make it easier for attackers to hide their activity.&lt;/p&gt;
&lt;h3&gt;&lt;strong&gt;Social Media Companies&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;Social networks use text messages to check user identity and stop fake accounts. These companies send millions of codes each day to users around the world. Twitter lost $60 million from this type of fraud, showing the scale these bills can reach.&lt;/p&gt;
&lt;h3&gt;&lt;strong&gt;Software-as-a-Service (SaaS) Providers&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;These companies often offer free trials that require SMS verification. They plan for a set cost to acquire each new user, but fraud can push these costs much higher than expected.&lt;/p&gt;
&lt;h3&gt;&lt;strong&gt;Telecommunications Companies&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;Phone companies face two problems: their own systems can be attacked, and parts of their network might help fraudsters. They need strong monitoring tools to find unusual patterns in message traffic.&lt;/p&gt;
&lt;h3&gt;&lt;strong&gt;Small Businesses and Startups&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;While smaller firms send fewer messages, they often lack security teams and fraud detection tools. This makes them easier targets. The cost of an attack can put these businesses at risk of closing down because they have less money in reserve.&lt;/p&gt;
&lt;h2&gt;Advanced Attack Methods&lt;/h2&gt;
&lt;p&gt;Attackers now combine SMS pumping with other techniques to avoid detection.&lt;/p&gt;
&lt;h3&gt;Credential Stuffing&lt;/h3&gt;
&lt;p&gt;Fraudsters use passwords stolen in data breaches to break into accounts. Once inside, they change phone numbers to ones they control and trigger verification messages. This makes fraud appear to come from real users.&lt;/p&gt;
&lt;p&gt;Peakhour's breach database detection identifies when stolen credentials are used to access accounts. The system flags these attempts before phone numbers can be changed, stopping the attack chain.&lt;/p&gt;
&lt;h3&gt;Residential Proxy Networks&lt;/h3&gt;
&lt;p&gt;Unlike data centre proxies that security systems can often spot, &lt;a href="/products/residential-proxy-detection/"&gt;residential proxies&lt;/a&gt; hide attack traffic behind home internet connections. This makes fraud look like it comes from regular users in different locations.&lt;/p&gt;
&lt;p&gt;Peakhour specialises in residential proxy detection. Its technology identifies these masked connections and blocks them before verification requests can pass through. The system maps known proxy networks and detects signs of traffic passing through residential IPs.&lt;/p&gt;
&lt;p&gt;When combined with device fingerprinting, these protections create a stronger defence. Fingerprinting tracks device characteristics that remain consistent even when attackers change IP addresses or accounts. Peakhour's fingerprinting technology works without cookies, making it effective against attackers who clear browser data.&lt;/p&gt;
&lt;p&gt;These methods focus on the techniques fraudsters use to hide their identity. With Peakhour's protection, businesses can detect and block these attacks before they trigger costly SMS verification messages.&lt;/p&gt;
&lt;h2&gt;&lt;strong&gt;Historical Incidents&lt;/strong&gt;&lt;/h2&gt;
&lt;p&gt;Reported SMS pumping incidents show how quickly costs can build:&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Twitter's $60 Million Loss&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;In January 2023, Twitter owner Elon Musk said the platform lost more than $60 million to SMS pumping fraud. He named over 390 phone companies that took part in the scheme. While Twitter later questioned some claims, the case brought public attention to this type of fraud.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Industry-Wide Financial Impact&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;The Communications Fraud Control Association reports that SMS pumping caused global losses of $6.7 billion in 2021. Many companies do not share their fraud losses with the public.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Costs to Individual Businesses&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Companies hit by these attacks pay between tens of thousands and millions of dollars each month in fake charges. These costs grow fast because each fake message costs much more than normal text rates.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Verification Policy Changes&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Because of these threats, many large platforms have moved away from SMS codes. Twitter removed SMS verification for most users in March 2023, stating fraud as the reason.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Operational Disruptions&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Beyond the cost of messages, businesses can face service problems during attacks. Real users may not get their codes on time. This can cause users to abandon transactions, contact support more often, and lose confidence in the company.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Rules and Enforcement&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Rules to stop these attacks differ around the world. Some telecoms authorities have strict rules and fines for networks that allow fraud, but enforcement remains hard. Fraudsters use complex message routes that cross many countries to avoid getting caught.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Understanding the Stakeholders&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;SMS pumping involves these key groups:&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Businesses&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Companies use SMS to check user identity and send updates. They hire SMS gateway providers to handle their messages. When fraud happens, these businesses pay for the fake messages. Most find out about the attack only when they receive an unexpected bill.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;SMS Gateway Providers&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Companies like Twilio and MessageBird connect businesses to phone carriers. They give businesses tools to send text messages without working with phone networks directly. When fraud passes through their systems, these providers may try to stop it, but still charge businesses for the messages sent.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Mobile Network Operators (MNOs)&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;These companies run the networks that deliver messages to phones. Most work honestly, but SMS pumping schemes often include corrupt operators who charge extra fees for messages to numbers they control. These operators then split the money with the attackers who started the fraud.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Content Aggregators&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;These middlemen combine message traffic and work with many carriers to find the best routes. Most run honest operations, but their position in the message chain creates routing and oversight gaps that attackers can use.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Regulatory Bodies&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Groups like the GSM Association create rules and standards for the industry. These rules are hard to enforce because phone networks cross many countries with different laws.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Financial Flow&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;The payment flow starts when businesses pay gateway providers to send messages. The gateway providers then pay fees to network operators based on where messages go. In fraud schemes, inflated fees go to corrupt operators who share the money with attackers. This creates a system where sending more fake messages makes more money for criminals while costing honest businesses more.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Effective Protection Strategies&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Protecting your organisation usually requires several controls:&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Basic Protections&lt;/strong&gt;&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Rate Limits&lt;/strong&gt;: Restrict how many verification attempts a user can make in a set time period.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Traffic Pattern Checks&lt;/strong&gt;: Track normal SMS message patterns and watch for changes that might indicate attacks.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Provider Protection&lt;/strong&gt;: Services like &lt;a href="https://prelude.so/"&gt;Prelude's SMS Pumping Protection&lt;/a&gt; find and block messages to fake numbers.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Other Ways to Verify Users&lt;/strong&gt;: Use app-based verification or push alerts instead of SMS codes.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Control by Country&lt;/strong&gt;: Limit SMS verification to countries where you do business and add more checks for countries with higher fraud risk.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Work with Trusted Partners&lt;/strong&gt;: Choose SMS service providers that focus on security and can help stop fraud quickly.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;&lt;strong&gt;Advanced Protection Methods&lt;/strong&gt;&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Residential Proxy Detection&lt;/strong&gt;: Find and block users who hide their true location behind home networks used as proxies.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Device Fingerprinting&lt;/strong&gt;: Collect device signals to track users across sessions and spot when many verification requests come from the same device.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;User Behaviour Tracking&lt;/strong&gt;: Learn how real users act on your site and flag unusual actions that might be bots.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Machine Learning Systems&lt;/strong&gt;: Use systems that learn from data to find hidden fraud patterns and adapt to new attack types.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Phone Number Checks&lt;/strong&gt;: Use lists of known bad numbers to decide which phone numbers need more verification steps.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Verify in Multiple Ways&lt;/strong&gt;: Ask users to prove who they are in different ways, such as email plus SMS, to make attacks harder.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Work with Other Companies&lt;/strong&gt;: Share information about new attack methods and bad phone numbers with other businesses.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Watch Transactions as They Happen&lt;/strong&gt;: Use systems that can pause message sending when they spot unusual patterns and learn from both legitimate and abusive traffic.&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;&lt;strong&gt;Fighting SMS Pumping Fraud&lt;/strong&gt;&lt;/h2&gt;
&lt;p&gt;SMS pumping fraud costs businesses $6.7 billion worldwide each year. Companies like Twitter lost $60 million to these attacks, showing that scale alone does not remove the risk.&lt;/p&gt;
&lt;p&gt;SMS pumping works through a network of fraudsters, network operators, and service providers who exploit the payment system for text messages. Fraudsters target authentication systems to generate large volumes of SMS, then collect revenue shares from the process.&lt;/p&gt;
&lt;p&gt;Peakhour and &lt;a href="https://prelude.so/"&gt;Prelude&lt;/a&gt; offer combined protection against these threats. Peakhour provides device fingerprinting to identify suspicious devices attempting verification. Its residential proxy detection stops fraudsters who hide behind legitimate IP addresses. These tools block attackers before they access verification systems.&lt;/p&gt;
&lt;p&gt;Prelude complements this protection with their &lt;a href="https://docs.prelude.so/guides/prevent-fraud"&gt;multi-routing SMS verification platform&lt;/a&gt;. Its system uses real-time fraud detection across five messaging channels in 230 countries. When Prelude detects a potential attack, it automatically redirects traffic through secure routes.&lt;/p&gt;
&lt;p&gt;Businesses need to understand the SMS delivery chain to protect themselves. Gateway providers, network operators, and content aggregators each introduce possible points of exploitation.&lt;/p&gt;
&lt;p&gt;Prevention requires multiple security layers:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Rate limiting to restrict message volume&lt;/li&gt;
&lt;li&gt;Device fingerprinting to track suspicious patterns&lt;/li&gt;
&lt;li&gt;Residential proxy detection to unmask hidden attackers&lt;/li&gt;
&lt;li&gt;Behavioural analytics to spot unusual activity&lt;/li&gt;
&lt;li&gt;Machine learning to adapt to new attack methods&lt;/li&gt;
&lt;li&gt;Continuous learning based on real user interactions&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The continuous learning systems from both Peakhour and Prelude build protection that improves with each user interaction. Their platforms analyse legitimate traffic patterns to differentiate them from attacks, helping protection adapt over time.&lt;/p&gt;
&lt;p&gt;While SMS verification remains common, Peakhour and Prelude help businesses implement more secure authentication methods. Together, they provide protection that adapts to evolving threats and reduces the cost of fraudulent verification traffic.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;See how Peakhour's Application Security Platform helps protect against SMS pumping and other automated threats. &lt;a href="/contact-sales/"&gt;Contact our team&lt;/a&gt; to secure your applications.&lt;/em&gt;&lt;/p&gt;</content><category term="Fraud"></category><category term="Fraud Prevention"></category><category term="Account Protection"></category><category term="Residential Proxies"></category><category term="Credential Stuffing"></category><category term="Bot Management"></category><category term="DDoS"></category></entry><entry><title>Preventing Enumeration Attacks</title><link href="https://www.peakhour.io/blog/preventing-enumeration-attacks-visa-roadmap/" rel="alternate"></link><published>2025-01-24T00:00:00+11:00</published><updated>2025-01-24T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-01-24:/blog/preventing-enumeration-attacks-visa-roadmap/</id><summary type="html">&lt;p&gt;An analysis of how Peakhour's solutions help prevent enumeration attacks, aligning with Visa's Security Roadmap 2025-2028 priorities.&lt;/p&gt;</summary><content type="html">&lt;p&gt;After our &lt;a href="/blog/visa-security-roadmap-2025-overview/"&gt;overview of Visa's Security Roadmap 2025-2028&lt;/a&gt;, this article looks at the first focus area: preventing enumeration attacks. Visa reports a 40% increase in enumeration attacks in the first six months of 2023 compared with the previous period, and more than US$1.1 billion in global fraud losses from these attacks over the year to 30 September 2023.&lt;/p&gt;
&lt;p&gt;Visa defines enumeration and account testing as criminal practices where fraudsters use automation to test and guess payment credentials, which can then be used for fraudulent transactions. In card-testing campaigns, attackers send large numbers of low-value authorisation attempts to validate a primary account number, expiry date, or CVV2. They tend to target online merchants with weaker fraud controls because the merchant site becomes the testing ground while issuers, acquirers, and cardholders absorb the downstream damage.&lt;/p&gt;
&lt;p&gt;The volume share can look small. Visa notes that these attacks contribute to less than 1% of global card-not-present volume. That can make the risk easy to underweight until the business sees the operating cost: processor scrutiny, chargeback pressure, support load, infrastructure spikes, blocked genuine customers, and fraud teams trying to reconstruct what happened after the card data has already been validated somewhere else.&lt;/p&gt;
&lt;h2&gt;The Risk Is Operational Before It Is Regulatory&lt;/h2&gt;
&lt;p&gt;Enumeration is not only a payment fraud pattern. It is a production traffic problem. The attack arrives as normal-looking checkout or payment API requests, often distributed across many IPs, accounts, devices, cards, and merchants. If the only defence is a fixed IP threshold, the attacker can slow down, rotate infrastructure, or push attempts through residential proxy networks that look closer to consumer traffic.&lt;/p&gt;
&lt;p&gt;That is why Visa's roadmap points to authentication controls, anomaly detection, real-time monitoring, velocity thresholds, CVV2 for unsecure transactions, and retries with different values as indicators of account testing behaviour. The common thread is evidence. Teams need to see the pattern across attempts, not just one failed authorisation at a time.&lt;/p&gt;
&lt;p&gt;For merchants and acquirers, the first decision is scope. Which routes can submit payment credentials? Which APIs can create checkout sessions, payment intents, or tokenisation requests? Which responses tell an attacker whether the credential is likely valid? Which logs show retries with changed values? Which controls can act before the traffic reaches the processor?&lt;/p&gt;
&lt;h2&gt;VAMP Raises the Need for Cleaner Evidence&lt;/h2&gt;
&lt;p&gt;Visa's updated Visa Acquirer Monitoring Program (VAMP) is effective 1 April 2025. In the roadmap, Visa says VAMP brings more aligned fraud thresholds for domestic and cross-border card-not-present transactions and incorporates new enumeration criteria based on the number of enumerated authorisation transactions and the enumeration rate identified by the VAAI Score.&lt;/p&gt;
&lt;p&gt;That does not mean every merchant needs the same control design. It does mean acquirers and merchants need better visibility into whether a burst of payment activity is genuine demand, a broken integration, friendly fraud, or enumeration. When traffic is distributed, the evidence needs to include more than source IP. Useful signals include route, account state, card-attempt cadence, response codes, device or browser consistency, proxy likelihood, country and ASN changes, header and TLS patterns, and whether retries are changing only the values an attacker is trying to validate.&lt;/p&gt;
&lt;p&gt;Peakhour's role is at the web and API edge. &lt;a href="/products/bot-management/"&gt;Bot Management&lt;/a&gt;, &lt;a href="/products/advanced-rate-limiting/"&gt;Advanced Rate Limiting&lt;/a&gt;, &lt;a href="/products/residential-proxy-detection/"&gt;Residential Proxy Detection&lt;/a&gt;, WAF, and log forwarding can help teams detect automated payment attempts, slow or block abusive routes, identify proxy-backed traffic, and retain decision evidence. Those controls support a payment security program; they do not determine VAMP standing, replace acquirer guidance, or provide legal advice.&lt;/p&gt;
&lt;h2&gt;Rate Limits Need to Follow the Attack Shape&lt;/h2&gt;
&lt;p&gt;Simple rate limits still help, but card testing rarely follows one neat source. A useful rate limit strategy looks at multiple keys: route, payment action, account, session, token, card fingerprint where appropriate, device signal, IP, ASN, country, response result, and time window. The limits should also distinguish between customer actions. A checkout page, card add route, refund path, gift card purchase, and payment authorisation API should not all share one generic threshold.&lt;/p&gt;
&lt;p&gt;Teams also need to decide what the control does. Some traffic should be blocked. Some should be slowed. Some should be challenged before payment. Some should be logged and reviewed because false positives would create more harm than the risk being reduced. The right action depends on business context, fraud exposure, customer value, and the confidence of the signals.&lt;/p&gt;
&lt;p&gt;Residential proxy abuse is a good example. A residential IP does not prove fraud. Many genuine users sit behind shared or mobile networks. But residential proxy use combined with high-cardinality card attempts, changed CVV2 values, first-seen devices, failed authorisations, and unusual checkout cadence is a stronger signal. The value is correlation, not a single magic indicator.&lt;/p&gt;
&lt;h2&gt;A Practical Review Path&lt;/h2&gt;
&lt;p&gt;Teams preparing for enumeration risk should start with the payment routes rather than with a vendor checklist.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Map every route that can create, submit, modify, or retry a payment attempt.&lt;/li&gt;
&lt;li&gt;Review response messages and status codes for accidental validation clues.&lt;/li&gt;
&lt;li&gt;Check whether logs can show velocity, retries with changed values, and route-level concentration without storing sensitive card data.&lt;/li&gt;
&lt;li&gt;Apply route-aware rate limits and bot controls before processor calls where possible.&lt;/li&gt;
&lt;li&gt;Add proxy, device, session, and behaviour signals to separate normal checkout friction from testing behaviour.&lt;/li&gt;
&lt;li&gt;Keep evidence of policy version, action, route, and signal set so fraud and compliance teams can review outcomes.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;The caution is important: do not turn payment logging into a second store of cardholder data. Enumeration defence needs enough evidence to detect and investigate abuse, but PCI DSS and privacy expectations still require careful handling of cardholder data, tokens, logs, and support exports.&lt;/p&gt;
&lt;h2&gt;What This Means for Peakhour Customers&lt;/h2&gt;
&lt;p&gt;Enumeration prevention is not a single feature. It is a control path around payment routes: classify the request, evaluate the signals, act proportionately, and keep evidence. Peakhour can help by applying those decisions at the edge before abusive traffic reaches the origin or payment integration.&lt;/p&gt;
&lt;p&gt;The business value is not only fewer bad requests. It is cleaner payment telemetry, faster fraud review, fewer avoidable processor calls, and a better basis for conversations with acquirers when suspicious activity appears. Visa's roadmap makes that direction clear: payment security is moving toward data-driven, evidence-backed controls that can recognise automation abuse without blocking genuine customers by default.&lt;/p&gt;</content><category term="Security"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="PCI DSS"></category><category term="API Security"></category><category term="Fraud Prevention"></category><category term="Threat Detection"></category></entry><entry><title>Visa's Security Roadmap 2025-2028</title><link href="https://www.peakhour.io/blog/visa-security-roadmap-2025-overview/" rel="alternate"></link><published>2025-01-21T00:00:00+11:00</published><updated>2025-01-21T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-01-21:/blog/visa-security-roadmap-2025-overview/</id><summary type="html">&lt;p&gt;An analysis of Visa's Security Roadmap 2025-2028 and how Peakhour's solutions help Australian businesses meet these security objectives.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Visa's Security Roadmap 2025-2028 for Australia is not just a payments strategy document. It is a signal about where fraud, application security, authentication, and compliance work are converging for merchants, acquirers, issuers, gateways, and service providers.&lt;/p&gt;
&lt;p&gt;The timing matters. Visa's roadmap cites Australian card fraud rising 32% to A$762 million in 2023, with unauthorised card-not-present fraud increasing 33% to A$688 million. Scam losses reached A$2.7 billion in 2023, and reported data breaches increased 19% in the second half of 2023 compared with the first half. The pressure is not coming from one direction. Payment teams are dealing with automation abuse, social engineering, compromised credentials, weak merchant onboarding, third-party exposure, and new payment experiences at the same time.&lt;/p&gt;
&lt;p&gt;Visa groups its roadmap into six focus areas: preventing enumeration attacks, continued investment in secure technologies, data-driven risk, resilience against fraud and scams in the era of AI, stronger cyber security posture, and secure digital payment experiences. For Australian businesses, the more useful way to read it is as a set of operational themes.&lt;/p&gt;
&lt;h2&gt;Automation Abuse Has Become a Payment Control Issue&lt;/h2&gt;
&lt;p&gt;Enumeration attacks sit first in the roadmap for a reason. Visa defines enumeration and account testing as automation used to test and guess payment credentials that can later be used in fraudulent transactions. The attacks often appear as high-speed card testing against online merchants, with low-value attempts used to validate PAN, expiry, or CVV2 combinations.&lt;/p&gt;
&lt;p&gt;Visa reports a 40% increase in enumeration attacks in the first six months of 2023 compared with the previous period, and more than US$1.1 billion in global fraud losses from enumeration attacks over the year to 30 September 2023. The updated Visa Acquirer Monitoring Program (VAMP), effective 1 April 2025, adds enumeration criteria alongside broader fraud and dispute monitoring.&lt;/p&gt;
&lt;p&gt;The implication is practical: merchants and acquirers need route-level evidence, anomaly monitoring, velocity controls, and a way to identify distributed automation before it becomes payment fraud. IP-only controls are weak when attacks use residential proxies, first-seen devices, and slow distributed attempts. Peakhour's bot management, residential proxy detection, advanced rate limiting, and edge logging can help support that evidence path, but the business still needs payment-flow ownership and acquirer alignment.&lt;/p&gt;
&lt;h2&gt;Authentication and Tokenisation Are Moving Together&lt;/h2&gt;
&lt;p&gt;Visa's secure technology theme is not simply "add more authentication." The roadmap ties tokenisation, EMV 3DS, biometric or in-app authentication, passkeys, and Click to Pay into the same customer and fraud problem: protect credentials while reducing unnecessary friction.&lt;/p&gt;
&lt;p&gt;Tokenisation reduces the value of exposed card data by replacing a card number with a token. Visa notes that the Visa Token Service has passed one billion tokens in Asia Pacific and that merchants adopting VTS for digital payments saw payment fraud rates reduced by more than half in the cited Asia Pacific analysis. But the roadmap also flags token provisioning fraud, where bad actors illegitimately provision tokens and then monetise them quickly.&lt;/p&gt;
&lt;p&gt;That is why authentication quality matters. Visa says issuers are being mandated to move away from SMS OTP as the sole authentication factor by 2026, toward methods such as biometric, in-app, app-to-app, or passkey-based authentication. For merchants, updated Visa Secure minimum data requirements push more complete authentication data into the decision process.&lt;/p&gt;
&lt;p&gt;For application teams, the lesson is that checkout security is not a single login prompt. It includes account creation, saved-card use, card add, token provisioning, checkout, refund, and support paths. A risk-based challenge should appear where the action justifies it, not everywhere by default.&lt;/p&gt;
&lt;h2&gt;Risk Decisions Need Better Data, Not Just More Data&lt;/h2&gt;
&lt;p&gt;The roadmap's data-driven risk theme is about using available payment and authentication data to reduce fraud and false positives. Visa points to EMV 3DS data elements, Visa Secure requirements, risk-based authentication, and issuer decisioning as examples of how better data quality can change outcomes.&lt;/p&gt;
&lt;p&gt;More data is not automatically better. It has to be accurate, relevant, protected, and available at the moment of decision. A fraud team may need account history, device consistency, proxy likelihood, card-attempt cadence, transaction context, and previous response outcomes. A compliance team may need to know why that data is collected, where it is retained, and who can query it.&lt;/p&gt;
&lt;p&gt;This is where contextual security becomes useful. Peakhour's &lt;a href="/solutions/use-case/contextual-security/"&gt;Contextual Security&lt;/a&gt; approach combines request, route, account, network, device, and behaviour signals so teams can allow, challenge, rate limit, block, or log based on risk. The control is strongest when the decision record stays attached to the event: signal set, policy version, action, and outcome.&lt;/p&gt;
&lt;h2&gt;AI Raises Scam and Fraud Pressure, But It Is Also Part of Detection&lt;/h2&gt;
&lt;p&gt;Visa frames AI in both directions. Generative AI lowers the barrier for phishing, social engineering, deepfakes, and personalised scam content. At the same time, Visa points to its long history using AI and machine learning in payment fraud detection, including around 150 AI and machine learning models in production.&lt;/p&gt;
&lt;p&gt;For businesses outside the payment network, the message is not "buy AI." It is to prepare for more scalable deception and faster abuse cycles. Fraud controls need to watch for account creation abuse, credential stuffing, payment testing, suspicious onboarding, transaction anomalies, and customer manipulation signals. Human review still matters because authorised scams can look different from unauthorised account compromise.&lt;/p&gt;
&lt;p&gt;Peakhour's role is strongest around the request and account edge: identifying automation, proxy-backed traffic, route abuse, credential risk, and abnormal behaviour before fraud reaches sensitive application paths. Those signals can feed fraud review and incident response, but they should be used with privacy, false-positive, and customer-impact controls.&lt;/p&gt;
&lt;h2&gt;Cyber Posture Is Now Part of Payment Ecosystem Resilience&lt;/h2&gt;
&lt;p&gt;Visa's fifth theme connects payment fraud to cyber security posture. PCI DSS remains mandatory for entities storing, processing, or transmitting Visa cardholder data. Visa also highlights third-party agent (TPA) registration, its Account Information Security program, third-party service provider risk, breach trends, and preparation for broader AES support by 2030.&lt;/p&gt;
&lt;p&gt;For Australian businesses, this is a reminder that payment risk is not limited to the payment processor. A breach of a CMS account, a third-party script, a weak checkout plugin, a vulnerable API, a compromised support tool, or an unmanaged service provider can affect the payment environment. PCI scope and third-party oversight need to include the systems that can change or observe checkout, not only systems that store card numbers.&lt;/p&gt;
&lt;p&gt;Peakhour can help with application-layer controls around WAF, API protection, bot management, rate limiting, DDoS mitigation, and log forwarding. Those controls can support evidence for payment security and cyber posture. They do not replace PCI DSS validation, TPA obligations, acquirer requirements, or legal review.&lt;/p&gt;
&lt;h2&gt;New Payment Experiences Need Security Built Into the Flow&lt;/h2&gt;
&lt;p&gt;Visa's final theme covers digital payment experiences such as Click to Pay, passkeys, Flex Credential, and Tap to Everything. These changes are about reducing manual card entry, password dependence, and fragmented checkout experiences while preserving cardholder verification and transaction security.&lt;/p&gt;
&lt;p&gt;The security work for merchants is to keep pace with those flows. New payment methods bring new integration paths, data elements, redirects, APIs, support workflows, and customer education needs. The right question is not only "does the new payment method work?" It is "which systems can affect it, what data is passed, how is the customer verified, what fraud signals are available, and what evidence remains after a dispute or incident?"&lt;/p&gt;
&lt;h2&gt;What Businesses Should Do Next&lt;/h2&gt;
&lt;p&gt;Read the roadmap as an operating agenda. Map payment and account routes. Identify where automation can test credentials or cards. Review SMS OTP dependence. Check whether tokenisation and 3DS data are being used well. Validate which vendors affect checkout and payment security. Confirm that logs can support fraud review without capturing sensitive card data. Tune rate limits and bot controls by route, not only by IP.&lt;/p&gt;
&lt;p&gt;The next few years of payment security will reward teams that can make proportionate, evidence-backed decisions. That is the thread running through Visa's roadmap and through Peakhour's edge security work: see the request in context, choose the right action, and keep enough evidence for fraud, security, and compliance teams to explain what happened.&lt;/p&gt;</content><category term="Fraud"></category><category term="PCI DSS"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Fraud Prevention"></category><category term="Magento"></category><category term="Application Security"></category></entry><entry><title>How Bots Are Corrupting Your A/B Testing Data</title><link href="https://www.peakhour.io/blog/bot-impact-ab-testing/" rel="alternate"></link><published>2025-01-20T00:00:00+11:00</published><updated>2025-01-20T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-01-20:/blog/bot-impact-ab-testing/</id><summary type="html">&lt;p&gt;Understand the impact of bot traffic on A/B testing results and learn how to protect your optimization efforts&lt;/p&gt;</summary><content type="html">&lt;p&gt;Bot traffic contaminates A/B testing results and can undermine marketing strategy.
Your testing programme is exposed when &lt;a href="/learning/security/residential-proxy/"&gt;residential proxy&lt;/a&gt; networks generate fake
interactions (e.g. click fraud) that appear to come from your target market.&lt;/p&gt;
&lt;p&gt;These &lt;a href="/products/residential-proxy-detection/"&gt;residential proxies&lt;/a&gt; hide behind real household internet connections in the targeted geographic areas. When a
bot network routes traffic through Sydney IP addresses to masquerade as real Australians, your analytics
counts that traffic as legitimate local engagement. Because the traffic matches your demographic
and geographic targeting profile, traditional detection methods become less effective.&lt;/p&gt;
&lt;p&gt;This contamination affects the accuracy of the marketing strategy. Your A/B tests should show clear winners, but the
results are masked by bot behaviour rather than real user preferences. Marketing teams then optimise campaigns
from false signals, wasting budget and time on the wrong opportunities. The data starts driving decisions that harm conversion rates and revenue.&lt;/p&gt;
&lt;p&gt;The scale of the problem continues to grow. Residential proxy services now offer millions of local IPs in every market. They rotate these IPs automatically and match real browser characteristics. Without specialised detection such as Peakhour A/B Testing Protection, this traffic can appear identical to genuine users in your analytics.&lt;/p&gt;
&lt;p&gt;Each day without detection compounds the damage. Tests generate misleading data that guides strategic decisions. Marketing teams spend hours analysing invalid results and implementing changes that reduce performance. Budget allocated to testing delivers diluted ROI as optimisations based on bot data decrease conversion rates.&lt;/p&gt;
&lt;p&gt;Traditional bot protection fails against this distributed threat. IP-based detection cannot identify residential proxy traffic that matches your target geography. Rate limiting proves ineffective against attacks spread across thousands of residential IPs. These bots evade basic JavaScript challenges through sophisticated browser emulation.&lt;/p&gt;
&lt;p&gt;Peakhour's A/B Testing Protection uses network fingerprinting to detect residential proxy traffic. Our system analyses subtle patterns in how these proxies connect and behave, identifying bot networks that other solutions miss. We maintain a real-time database of residential proxy services to block new threats as they emerge.&lt;/p&gt;
&lt;p&gt;Our customers have discovered that 40% of their test traffic came from bots. After implementing protection, they achieved:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Valid test results reflecting real user preferences&lt;/li&gt;
&lt;li&gt;Increased conversion rates from accurate optimisation&lt;/li&gt;
&lt;li&gt;Reduced waste of marketing team time and resources&lt;/li&gt;
&lt;li&gt;Protection of testing budget from invalid traffic&lt;/li&gt;
&lt;li&gt;Confidence in strategic decisions based on clean data&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The rise of residential proxies has amplified bot threats to A/B testing. Traffic that appears to come from local users may mask sophisticated bot networks. Protecting your testing programme requires detection that goes beyond IP addresses and basic challenges. Contact us to learn how Peakhour can help secure your A/B testing data and keep optimisation decisions grounded in real users.&lt;/p&gt;</content><category term="Fraud"></category><category term="Bot Management"></category><category term="Residential Proxies"></category><category term="Fraud Prevention"></category><category term="Credential Stuffing"></category></entry><entry><title>The Hidden Cost of Click Fraud</title><link href="https://www.peakhour.io/blog/protecting-against-click-fraud/" rel="alternate"></link><published>2025-01-14T13:00:00+11:00</published><updated>2025-01-14T13:00:00+11:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2025-01-14:/blog/protecting-against-click-fraud/</id><summary type="html">&lt;p&gt;Click fraud drains marketing budgets and corrupts campaign data. Learn how bots and residential proxies impact your ad spend and marketing strategy.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Marketing organisations are losing money to automated clicks and fake impressions. These attacks drain advertising budgets and corrupt the data CMOs rely on for strategic decisions. The lost money cannot be recovered, but understanding the scale and mechanics of &lt;a href="/learning/click-fraud/how-to-identify-click-fraud/"&gt;click fraud&lt;/a&gt; helps marketing teams protect future investment and optimise campaigns.&lt;/p&gt;
&lt;h2&gt;The Scale of Click Fraud&lt;/h2&gt;
&lt;p&gt;Click fraud now consumes 40% of digital advertising budgets through fake clicks and impressions that never reach real customers. It affects every digital marketing channel, from pay-per-click and display advertising to social media campaigns, retargeting, and video advertising. The damage goes beyond direct financial loss, because it also corrupts the metrics teams use for decision-making.&lt;/p&gt;
&lt;p&gt;Our research on bot traffic shows the percentage of fraudulent clicks continues to rise each quarter. Marketing teams that ignore this threat base their strategies on flawed data, which leads to misallocated resources and weaker campaign performance.&lt;/p&gt;
&lt;h2&gt;How Bots Generate Fake Clicks&lt;/h2&gt;
&lt;p&gt;Automated bots generate clicks and impressions at scale across digital advertising platforms. These programs target competitor advertisements to drain marketing budgets through fake clicks. They create artificial impressions that inflate metrics and send false engagement signals. Bots also manipulate bidding algorithms and skew attribution data, leading to misallocated advertising resources.&lt;/p&gt;
&lt;p&gt;Modern bots use more advanced techniques to evade standard security controls. They mimic human behaviour patterns and rotate through different IP addresses to avoid detection and blocking.&lt;/p&gt;
&lt;h2&gt;The Residential Proxy Challenge&lt;/h2&gt;
&lt;p&gt;&lt;a href="/blog/residential-proxies-unseen-challenges/"&gt;Residential proxies&lt;/a&gt; create a significant obstacle for click fraud detection systems. These proxy services route bot traffic through IP addresses assigned to real consumers' homes and devices, making fraudulent traffic look legitimate to traditional anti-bot tools.&lt;/p&gt;
&lt;p&gt;Residential &lt;a href="/products/residential-proxy-detection/"&gt;proxy networks&lt;/a&gt; build their IP pools through multiple channels. They partner with consumer VPN services, distribute browser extensions, embed code in mobile applications, and in some cases exploit compromised devices. This mix gives proxy operators access to millions of residential IP addresses.&lt;/p&gt;
&lt;p&gt;Traditional IP reputation services fail to identify this proxy traffic. Our research demonstrates these services &lt;a href="/blog/anti-fraud-residential-proxy-detection/"&gt;miss up to 96% of residential proxy traffic&lt;/a&gt;, leaving advertising campaigns exposed to fraud through these channels.&lt;/p&gt;
&lt;h2&gt;Impact on Marketing Strategy&lt;/h2&gt;
&lt;p&gt;Click fraud undermines three core areas of marketing decision-making. First, it distorts campaign performance metrics through false click-through rates and inflated impression counts. The fraud creates skewed conversion data and engagement metrics that mask true campaign performance.&lt;/p&gt;
&lt;p&gt;In budget allocation, click fraud wastes marketing spend on non-existent users while reducing campaign ROI. Artificially inflated acquisition costs lead marketing teams to misallocate resources across channels and campaigns.&lt;/p&gt;
&lt;p&gt;Strategic planning suffers when data is contaminated across multiple dimensions. A/B testing results become invalid when bots generate fake interactions. Geographic and demographic data lose accuracy due to proxy traffic. Competitive intelligence becomes unreliable as bot activity masks true market dynamics.&lt;/p&gt;
&lt;p&gt;Marketing teams that base decisions on corrupted data take on significant risk. Their optimisation efforts target bot behaviour instead of real users. Campaign budgets flow to channels dominated by fraud. Strategic initiatives fail because decisions are based on artificial metrics rather than genuine customer behaviour.&lt;/p&gt;
&lt;h2&gt;Protecting Your Marketing Investment&lt;/h2&gt;
&lt;p&gt;Lost money from click fraud cannot be recovered, so marketing teams need protection measures for future investment. Detection forms the first line of defence through continuous monitoring of traffic patterns and IP reputation analysis. Teams track user behaviour to identify suspicious patterns that indicate fraud.&lt;/p&gt;
&lt;p&gt;Prevention requires a multi-layered security approach. Marketing teams need systems that block known bot networks and detect residential proxies attempting to generate fake clicks. These controls validate real user traffic and filter out fraudulent clicks before they affect campaigns.&lt;/p&gt;
&lt;p&gt;Campaign optimisation becomes more useful once fraud protection is in place. Teams can adjust targeting parameters based on genuine user data and reallocate budgets to channels with verified traffic. This supports updates to bidding strategies and refinement of audience segments based on real engagement.&lt;/p&gt;
&lt;p&gt;Our Ad Fraud Protection solution protects marketing investment by blocking bot traffic, detecting residential proxies, and validating real users. This helps ensure ad spend reaches genuine customers rather than fraudulent clicks.&lt;/p&gt;
&lt;h2&gt;Making Informed Decisions&lt;/h2&gt;
&lt;p&gt;Understanding click fraud changes how marketing teams analyse data and plan campaigns. Data analysis starts with identifying corrupted metrics in campaign reports. Teams must filter bot traffic from their analytics to measure real user engagement. This enables tracking of true campaign performance based on human interactions.&lt;/p&gt;
&lt;p&gt;Budget planning improves once teams understand the scale of click fraud. Marketing teams can allocate resources to channels with verified human traffic. This focus on real users optimises campaign spend and improves return on investment across marketing initiatives.&lt;/p&gt;
&lt;p&gt;Strategy development depends on clean, accurate data. Teams make decisions based on genuine user behaviour rather than bot interactions. Campaign planning targets real audience segments with messages that resonate. Performance measurement reflects actual results rather than artificial engagement.&lt;/p&gt;
&lt;h2&gt;Taking Action&lt;/h2&gt;
&lt;p&gt;Marketing teams need protection measures across three key areas to secure their investments. First, bot protection forms the foundation through deployment of bot management systems. These systems block automated traffic while validating real users and monitoring for suspicious patterns.&lt;/p&gt;
&lt;p&gt;The second protection layer focuses on &lt;a href="/blog/residential-proxies-unseen-challenges/"&gt;residential proxy detection&lt;/a&gt;. Teams implement proxy detection to identify and block proxy networks. This helps ensure traffic comes from real IP addresses and prevents fraud through residential proxies.&lt;/p&gt;
&lt;p&gt;The third component centres on protecting ad spend through traffic monitoring. Teams implement systems to block fraudulent clicks and validate impressions. This enables tracking of real engagement from genuine users.&lt;/p&gt;
&lt;p&gt;Our &lt;a href="/solutions/use-case/traffic-control/"&gt;Traffic Control solution&lt;/a&gt; combines these protection measures to help marketing teams secure their investments and base decisions on real user data.&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;Click fraud threatens marketing budgets and corrupts campaign data. Lost money cannot be recovered, but understanding and preventing fraud helps marketing teams protect future investment and make better decisions.&lt;/p&gt;</content><category term="Fraud"></category><category term="Fraud Prevention"></category><category term="Bot Management"></category><category term="Credential Stuffing"></category><category term="Residential Proxies"></category><category term="Analytics"></category><category term="Account Protection"></category></entry><entry><title>Residential Proxies - The Growing Threat to Ad Campaigns</title><link href="https://www.peakhour.io/blog/residential-proxy-ad-fraud/" rel="alternate"></link><published>2024-12-30T00:00:00+11:00</published><updated>2024-12-30T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-12-30:/blog/residential-proxy-ad-fraud/</id><summary type="html">&lt;p&gt;Learn how distributed bot networks using residential IPs are evolving to evade traditional fraud detection&lt;/p&gt;</summary><content type="html">&lt;p&gt;Digital advertising fraud costs organisations &lt;strong&gt;$42 billion annually&lt;/strong&gt; through fake clicks
and fake impressions. The growth of &lt;a href="/products/residential-proxy-detection/"&gt;residential proxy&lt;/a&gt; networks has changed how this fraud reaches campaigns: bot traffic can now hide behind legitimate residential IP addresses, putting it outside the reach of many traditional checks.&lt;/p&gt;
&lt;h3&gt;Hiding in the crowd&lt;/h3&gt;
&lt;p&gt;Residential proxies make bad traffic harder to separate from real visitors. Unlike data centre IPs that traditional tools can often detect, residential proxies hide behind real households' internet connections. This means the traffic appears to come from genuine users in your target market. When a residential proxy network operates from Sydney suburbs to attack an Australian campaign, &lt;a href="/blog/anti-fraud-residential-proxy-detection/"&gt;existing protection systems&lt;/a&gt; can be fooled into treating it as authentic local traffic.&lt;/p&gt;
&lt;p&gt;The impact extends beyond direct financial losses. Your analytics may show engagement from what appears to be your target demographic, while the activity is bot traffic masquerading as potential customers. This contaminated data can push marketing strategy in the wrong direction and waste retargeting spend. Competitors can also use fake clicks to drain your budget while gathering intelligence on your campaigns.&lt;/p&gt;
&lt;p&gt;Bad data then compounds the spend problem. Once bots are counted as engaged prospects, reporting and optimisation start from the wrong signal. The result is not only wasted media spend, but poorer decisions built on traffic that should never have been treated as customer intent.&lt;/p&gt;
&lt;h3&gt;A growing threat&lt;/h3&gt;
&lt;p&gt;The residential proxy industry continues to expand. Services now offer millions of residential IPs with precise geographic
targeting capabilities. They rotate IPs automatically and match
real browser fingerprints. Without specialised detection methods, the traffic can become indistinguishable from genuine users.&lt;/p&gt;
&lt;p&gt;This is a budget problem, not just a technical one. Each day without protection means 30-40% of your ad budget feeds bot networks
instead of reaching customers. The corrupted analytics drive decisions that compound these losses. As residential
proxy services grow more sophisticated, basic controls fall further behind.&lt;/p&gt;
&lt;p&gt;Traditional IP reputation and rate limiting fail against this distributed threat because the IP addresses are not obviously suspicious. Protection requires advanced network
fingerprinting that looks beyond IP addresses. Peakhour's Ad &lt;a href="/solutions/use-case/protect-ad-spend/"&gt;Fraud Protection&lt;/a&gt; analyses subtle patterns in how
residential proxies connect and behave, and detects the signs of proxy traffic that other solutions miss.&lt;/p&gt;
&lt;h3&gt;Knowledge is power&lt;/h3&gt;
&lt;p&gt;Peakhour integrates this protection with your existing ad platforms to stop fraud before it affects your campaigns.
Our customers have reduced wasted ad spend by 35% while improving campaign performance through cleaner analytics.
The system adapts as threat techniques change, so detection keeps pace with new residential proxy methods.&lt;/p&gt;
&lt;p&gt;Residential proxies have changed ad fraud because traffic that appears local and legitimate may mask sophisticated
bot networks. Protecting your campaigns requires detection that goes beyond IP addresses and treats residential proxy behaviour as its own signal. &lt;a href="/contact-us/"&gt;Contact us&lt;/a&gt; to learn how we can help secure your ad spend against residential proxy networks.&lt;/p&gt;</content><category term="Residential Proxies"></category><category term="Residential Proxies"></category><category term="Bot Management"></category><category term="Threat Detection"></category><category term="Fraud Prevention"></category><category term="Credential Stuffing"></category><category term="DDoS"></category></entry><entry><title>Your Anti-Fraud Residential Proxy Detection Sucks</title><link href="https://www.peakhour.io/blog/anti-fraud-residential-proxy-detection/" rel="alternate"></link><published>2024-10-04T13:00:00+10:00</published><updated>2024-10-04T13:00:00+10:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2024-10-04:/blog/anti-fraud-residential-proxy-detection/</id><summary type="html">&lt;p&gt;Your anti fraud IP Intelligence service is no longer fit for purpose. Learn about the challenges in detecting residential proxies and why traditional methods don't work.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Online fraud is big business: account takeovers, chargebacks, scams, even romance scams. It costs businesses billions of
dollars every year.&lt;/p&gt;
&lt;p&gt;A common way websites fight it is to use an anti-fraud service to calculate the risk of
a transaction. Most teams get this intelligence from a third-party service, either through an API or a plugin.&lt;/p&gt;
&lt;p&gt;For online stores, &lt;a href="/industries/ecommerce/"&gt;ecommerce fraud prevention&lt;/a&gt; has to protect checkout and account flows without punishing real customers.&lt;/p&gt;
&lt;p&gt;One of the major signals these services use is &lt;a href="/products/ip-intelligence/"&gt;IP reputation&lt;/a&gt;. IP reputation tries to answer questions like:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Is the order coming from a datacentre?&lt;/li&gt;
&lt;li&gt;Is it coming from a country other than your target audience?&lt;/li&gt;
&lt;li&gt;Is the IP address a known VPN?&lt;/li&gt;
&lt;li&gt;Is it a known TOR exit node?&lt;/li&gt;
&lt;li&gt;Have lots of fraudulent orders come from this IP address in the past?&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Until recently, these services gave teams a useful way to calculate fraud risk from an IP address.&lt;/p&gt;
&lt;p&gt;Not anymore.&lt;/p&gt;
&lt;p&gt;Fraud traffic has shifted in recent years, away from VPNs and TOR and toward &lt;a href="/learning/security/datacenter-vs-residential-proxies/"&gt;residential proxies&lt;/a&gt;. These same
anti-fraud services &lt;em&gt;claim&lt;/em&gt; they can detect residential proxies, but what if the services many businesses rely on
are falling well short?&lt;/p&gt;
&lt;p&gt;The results are bad enough that they deserve a blunt look.&lt;/p&gt;
&lt;h2&gt;The Shocking Truth: Our Results&lt;/h2&gt;
&lt;p&gt;We took 25 IP addresses that had just been used as residential proxies in an attack on one of our clients, and
within 5 minutes of detection ran them through some of the most popular IP intelligence services. The results are
not going into anyone's marketing deck.&lt;/p&gt;
&lt;p&gt;Here's a summary of our findings:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Service&lt;/th&gt;
&lt;th&gt;Detected Proxies&lt;/th&gt;
&lt;th&gt;Accuracy&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Maxmind&lt;/td&gt;
&lt;td&gt;0/25&lt;/td&gt;
&lt;td&gt;0%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;IP Quality Score&lt;/td&gt;
&lt;td&gt;6/25&lt;/td&gt;
&lt;td&gt;24%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Seon&lt;/td&gt;
&lt;td&gt;1/25&lt;/td&gt;
&lt;td&gt;4%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;ProxyCheck.io&lt;/td&gt;
&lt;td&gt;0/25&lt;/td&gt;
&lt;td&gt;0%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;ip2proxy&lt;/td&gt;
&lt;td&gt;1/25&lt;/td&gt;
&lt;td&gt;4%&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;The best performer in our test, IP Quality Score, detected only 24% of the proxies. The others ranged from 0% to 4%.&lt;/p&gt;
&lt;h2&gt;Why Your Residential Proxy Detection Service is Failing You&lt;/h2&gt;
&lt;p&gt;So why are these services performing so poorly? To understand it, we need to look at how proxy usage and detection
have changed.&lt;/p&gt;
&lt;h3&gt;The Good Old Days of Proxy Detection&lt;/h3&gt;
&lt;p&gt;In the recent past, detecting proxies was much easier. Fraudsters primarily used:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;TOR networks&lt;/li&gt;
&lt;li&gt;VPN services&lt;/li&gt;
&lt;li&gt;Data center proxies&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;These were relatively static targets. They were tied to a single, stationary IP, or &lt;a href="/learning/ipaddress-subnets"&gt;IP ranges&lt;/a&gt;.
Listing them in IP block lists was straightforward.&lt;/p&gt;
&lt;h2&gt;The Rise of Residential Proxies: A New Breed of Threat&lt;/h2&gt;
&lt;p&gt;Now we need to talk about residential proxies,
the new go-to tool of fraudsters and scammers. These are not just a new label for old proxies. They behave differently.&lt;/p&gt;
&lt;h3&gt;What Are Residential Proxies?&lt;/h3&gt;
&lt;p&gt;Residential proxies come from IP addresses assigned to real residential services by Internet Service Providers
(ISPs). These can be:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Home computers&lt;/li&gt;
&lt;li&gt;Mobile phones&lt;/li&gt;
&lt;li&gt;Tablets&lt;/li&gt;
&lt;li&gt;IoT devices&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Unlike data center proxies, which use IP addresses from hosting companies, residential proxies use IPs that look just
like any other home or mobile user. They have become the tool for avoiding security controls on websites in the last
2-3 years, and they are causing all sorts of headaches for website owners.&lt;/p&gt;
&lt;h3&gt;How Are Residential Proxy Networks Formed?&lt;/h3&gt;
&lt;p&gt;This is where the problem starts:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Compromised Devices&lt;/strong&gt;: Malware can turn innocent devices into proxy endpoints without the owner's knowledge.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Incentivised Programs&lt;/strong&gt;: Some companies offer users benefits (like free VPN services) in exchange for using their
   device as a proxy endpoint. Hola VPN and Brightdata are prominent examples.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;APP SDKs&lt;/strong&gt; Quite often, proxy providers will
   incentivise app developers to include their proxy toolkit in their apps. The user is totally unaware that their
   device's internet connection is now being resold.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;So your personal device, be it a computer or phone, could have its internet connection used to carry out a
crime without you knowing. The police could come knocking on &lt;em&gt;YOUR&lt;/em&gt; door one day.&lt;/p&gt;
&lt;h3&gt;Why Are They So Dynamic?&lt;/h3&gt;
&lt;p&gt;Since the proxy is formed by reusing the internet connection of a device, it is inherently much more dynamic than a proxy
formed on a server.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Device Mobility&lt;/strong&gt;: A mobile phone can connect from home Wi-Fi, then a coffee shop, then a cellular network – all in one day.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;ISP IP Rotation&lt;/strong&gt;: Many ISPs dynamically assign IP addresses, changing them periodically.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Depending on the type of fraud being carried out, the attacker might also rotate the device being used, popping out of
a different location. Also, due to the way these proxies are formed, i.e. via an app on a computer or phone, that particular
exit point on the proxy network might depend on that app being open.&lt;/p&gt;
&lt;p&gt;This dynamic nature is what makes residential proxies so hard to detect using traditional methods.&lt;/p&gt;
&lt;h3&gt;Shared IPs: The Needle in the Haystack Problem&lt;/h3&gt;
&lt;p&gt;Residential proxy IPs are not just dynamic. They are typically shared. This means that a
single IP address could be used by both legitimate users and proxy traffic:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;ISP IP Pools&lt;/strong&gt;: Internet Service Providers often use large pools of IPs that are dynamically assigned to users.
   This means that an IP used by a proxy one minute could be assigned to your grandmother's iPad the next.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Carrier-Grade NAT (CGN)&lt;/strong&gt;: Mobile carriers frequently use CGN, which can make hundreds or thousands of users
   appear to come from the same IP address.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Compromised Routers&lt;/strong&gt;: A single compromised home router could serve both the legitimate traffic of the homeowner
   and proxy traffic from the attacker.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;If you simply blocked any IP that shows proxy behavior, you would end up blocking legitimate users too.&lt;/p&gt;
&lt;h2&gt;Why Traditional Methods Are Failing (Revisited)&lt;/h2&gt;
&lt;p&gt;Now that we understand residential proxies better, let's revisit why old-school detection methods are not enough.&lt;/p&gt;
&lt;h3&gt;1. Port Scanning&lt;/h3&gt;
&lt;p&gt;Traditional proxy detection often relies on scanning for open proxy ports. Here's a simple port scanner:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="nn"&gt;socket&lt;/span&gt;

&lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;port_scan&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ip&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;port&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
    &lt;span class="n"&gt;sock&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;socket&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;socket&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;socket&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;AF_INET&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;socket&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;SOCK_STREAM&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="n"&gt;result&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;sock&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;connect_ex&lt;/span&gt;&lt;span class="p"&gt;((&lt;/span&gt;&lt;span class="n"&gt;ip&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;port&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;
    &lt;span class="n"&gt;sock&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;close&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
    &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="n"&gt;result&lt;/span&gt; &lt;span class="o"&gt;==&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;

&lt;span class="c1"&gt;# Example usage&lt;/span&gt;
&lt;span class="n"&gt;ip&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;&amp;quot;123.45.67.89&amp;quot;&lt;/span&gt;
&lt;span class="n"&gt;proxy_ports&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="mi"&gt;80&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="mi"&gt;8080&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="mi"&gt;3128&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;  &lt;span class="c1"&gt;# Common proxy ports&lt;/span&gt;

&lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;port&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="n"&gt;proxy_ports&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;port_scan&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ip&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;port&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
        &lt;span class="nb"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;Port &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;port&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s2"&gt; is open - potential proxy detected&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;&lt;strong&gt;Why it fails&lt;/strong&gt;: Residential proxies don't typically have these ports open. They route traffic through standard web
ports, making them indistinguishable from normal traffic.&lt;/p&gt;
&lt;h3&gt;2. Honeypots&lt;/h3&gt;
&lt;p&gt;Honeypots try to lure and identify proxy traffic.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Why it fails&lt;/strong&gt;: Sophisticated residential proxy networks can identify and avoid known honeypots. Plus, since they're
using real residential IPs, even if they do hit a honeypot, the IP itself isn't a reliable indicator of proxy usage.&lt;/p&gt;
&lt;h3&gt;3. Client-Side Detection&lt;/h3&gt;
&lt;p&gt;Detection services may also try to detect proxies by executing Javascript in the browser and checking the result
for inconsistencies. These are the common techniques.&lt;/p&gt;
&lt;h4&gt;3.1 WebRTC Leak&lt;/h4&gt;
&lt;p&gt;WebRTC can sometimes reveal a user's true IP address:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="kd"&gt;function&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;detectRealIP&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;callback&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="kd"&gt;var&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;RTCPeerConnection&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;window&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;RTCPeerConnection&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;||&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;window&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;mozRTCPeerConnection&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;||&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;window&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;webkitRTCPeerConnection&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="kd"&gt;var&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;pc&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="ow"&gt;new&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;RTCPeerConnection&lt;/span&gt;&lt;span class="p"&gt;({&lt;/span&gt;&lt;span class="nx"&gt;iceServers&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="p"&gt;[]}),&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;noop&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kd"&gt;function&lt;/span&gt;&lt;span class="p"&gt;(){};&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nx"&gt;pc&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;createDataChannel&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nx"&gt;pc&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;createOffer&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;pc&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;setLocalDescription&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;bind&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;pc&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;noop&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nx"&gt;pc&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;onicecandidate&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kd"&gt;function&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;ice&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;!&lt;/span&gt;&lt;span class="nx"&gt;ice&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;||&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!&lt;/span&gt;&lt;span class="nx"&gt;ice&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;candidate&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;||&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!&lt;/span&gt;&lt;span class="nx"&gt;ice&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;candidate&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;candidate&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="kd"&gt;var&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;myIP&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="sr"&gt;/([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;exec&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;ice&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;candidate&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;candidate&lt;/span&gt;&lt;span class="p"&gt;)[&lt;/span&gt;&lt;span class="mf"&gt;1&lt;/span&gt;&lt;span class="p"&gt;];&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="nx"&gt;pc&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;onicecandidate&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;noop&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="nx"&gt;callback&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;myIP&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="p"&gt;};&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="nx"&gt;detectRealIP&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kd"&gt;function&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;ip&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nx"&gt;console&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;Your real IP address is: &amp;quot;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;ip&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="p"&gt;});&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h4&gt;3.2 Geolocation Inconsistencies&lt;/h4&gt;
&lt;p&gt;Comparing IP-based geolocation with browser-reported location.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="nx"&gt;navigator&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;geolocation&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;getCurrentPosition&lt;/span&gt;&lt;span class="p"&gt;((&lt;/span&gt;&lt;span class="nx"&gt;position&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;=&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="kd"&gt;const&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;browserLat&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;position&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;coords&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;latitude&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="kd"&gt;const&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;browserLong&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;position&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;coords&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;longitude&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="c1"&gt;// Compare with IP-based geolocation from server&lt;/span&gt;
&lt;span class="p"&gt;});&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h4&gt;3.3 DNS Leaks&lt;/h4&gt;
&lt;p&gt;Check whether DNS requests are routed through the proxy or are leaking:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="kd"&gt;const&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;image&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="ow"&gt;new&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Image&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;
&lt;span class="kd"&gt;const&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;uniqueDomain&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="sb"&gt;`test-&lt;/span&gt;&lt;span class="si"&gt;${&lt;/span&gt;&lt;span class="nb"&gt;Date&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;now&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sb"&gt;.example.com`&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="nx"&gt;image&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;src&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="sb"&gt;`http://&lt;/span&gt;&lt;span class="si"&gt;${&lt;/span&gt;&lt;span class="nx"&gt;uniqueDomain&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sb"&gt;/pixel.gif`&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="c1"&gt;// Monitor DNS requests server-side to detect leaks&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h4&gt;3.4 Browser Fingerprinting&lt;/h4&gt;
&lt;p&gt;Check whether there are inconsistencies with the browser, e.g. timezone, and the geolocation of the IP address&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="kd"&gt;const&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;fingerprint&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="nx"&gt;userAgent&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;navigator&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;userAgent&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="nx"&gt;screenResolution&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="sb"&gt;`&lt;/span&gt;&lt;span class="si"&gt;${&lt;/span&gt;&lt;span class="nx"&gt;screen&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;width&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sb"&gt;x&lt;/span&gt;&lt;span class="si"&gt;${&lt;/span&gt;&lt;span class="nx"&gt;screen&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;height&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sb"&gt;`&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="nx"&gt;colorDepth&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;screen&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;colorDepth&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="nx"&gt;timezone&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;Intl&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;DateTimeFormat&lt;/span&gt;&lt;span class="p"&gt;().&lt;/span&gt;&lt;span class="nx"&gt;resolvedOptions&lt;/span&gt;&lt;span class="p"&gt;().&lt;/span&gt;&lt;span class="nx"&gt;timeZone&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="nx"&gt;plugins&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;Array&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="kr"&gt;from&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;navigator&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;plugins&lt;/span&gt;&lt;span class="p"&gt;).&lt;/span&gt;&lt;span class="nx"&gt;map&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;p&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;=&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;p&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;name&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
&lt;span class="c1"&gt;// ... other characteristics&lt;/span&gt;
&lt;span class="p"&gt;};&lt;/span&gt;
&lt;span class="c1"&gt;// Analyze fingerprint for proxy indicators&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h4&gt;Why these techniques fail&lt;/h4&gt;
&lt;p&gt;Proxy services can work around all of these methods. Many browsers now allow users to disable WebRTC or use
extensions that prevent this leak. Some &lt;a href="/products/residential-proxy-detection/"&gt;residential proxy&lt;/a&gt; services are sophisticated enough to handle WebRTC
requests without leaking the real IP.&lt;/p&gt;
&lt;p&gt;Finally, relying on client-side detection means:
* Your detection can be reverse engineered and bypassed.
* You've already served the content the attacker wants.
* It requires Javascript execution, something that won't always be available, for instance on an API.&lt;/p&gt;
&lt;h3&gt;4. Threat Intelligence&lt;/h3&gt;
&lt;p&gt;Threat intelligence involves maintaining databases of known proxy IP addresses:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="nn"&gt;requests&lt;/span&gt;

&lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;check_ip_threat_intel&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ip&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
    &lt;span class="n"&gt;api_key&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;&amp;quot;your_api_key_here&amp;quot;&lt;/span&gt;
    &lt;span class="n"&gt;url&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;https://api.threatintelligence.com/v1/ip/&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;ip&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s2"&gt;?key=&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;api_key&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;
    &lt;span class="n"&gt;response&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;requests&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;url&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;response&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;status_code&lt;/span&gt; &lt;span class="o"&gt;==&lt;/span&gt; &lt;span class="mi"&gt;200&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
        &lt;span class="n"&gt;data&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;response&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;json&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
        &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="n"&gt;data&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;is_proxy&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="kc"&gt;False&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="kc"&gt;False&lt;/span&gt;

&lt;span class="c1"&gt;# Example usage&lt;/span&gt;
&lt;span class="n"&gt;ip&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;&amp;quot;123.45.67.89&amp;quot;&lt;/span&gt;
&lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;check_ip_threat_intel&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ip&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
    &lt;span class="nb"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;ip&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s2"&gt; is a known proxy according to threat intelligence&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;&lt;strong&gt;Why it fails&lt;/strong&gt;: As our results show, threat intelligence databases are struggling to keep up with the dynamic nature
of residential proxies. By the time an IP is identified and added to a database, it may no longer be in use as a proxy.&lt;/p&gt;
&lt;h2&gt;Why IP-Based Blocking Is No Longer Enough&lt;/h2&gt;
&lt;p&gt;Given the shared nature of IPs in the age of residential proxies, simply identifying and blocking "bad" IPs is too blunt.
Here's why:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;False Positives&lt;/strong&gt;: Blocking an IP used by a proxy might also block legitimate users sharing that IP.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Ineffectiveness&lt;/strong&gt;: Proxies can quickly switch to new IPs, so IP-based blocking turns into a chase.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Collateral Damage&lt;/strong&gt;: You might end up blocking entire ISPs or mobile carriers, cutting off large swaths of legitimate users.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;The practical failure is customer friction. A checkout, login, or account recovery flow cannot treat every residential or mobile network as hostile. Teams need enough request context to choose a proportionate response: log the signal on a low-risk page, challenge a suspicious account change, rate limit repeated failures, or block only when proxy evidence lines up with stronger abuse indicators.&lt;/p&gt;
&lt;p&gt;The same problem shows up on APIs and partner integrations. A partner batch job, mobile carrier, or shared office network can look noisy without being hostile. A compromised key can look legitimate until it starts hitting expensive routes. Good review paths keep the route, account or API key, request rate, fingerprint, and recent outcomes together so the answer is not just "block the IP" or "allow everything."&lt;/p&gt;
&lt;p&gt;This is where proxy detection stops being a lookup problem and becomes an operating problem. The team needs to know which route was hit, what account or session was involved, whether the request matched normal behaviour, and what the enforcement cost would be if the signal was wrong. That is the difference between reducing abuse and quietly pushing good customers into support. For a deeper treatment of that tradeoff, see the guide to &lt;a href="/learning/account-protection/customer-friction-and-false-positives/"&gt;customer friction and false-positive measurement&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;The Need for Connection-Level Detection&lt;/h2&gt;
&lt;p&gt;Instead of focusing only on IPs, we need to look at the connections themselves. Here's what this means:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Deep packet inspection&lt;/strong&gt;: Analyses traffic patterns and characteristics beyond surface-level indicators.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Protocol behaviour analysis&lt;/strong&gt;: Identifies subtle anomalies in how network protocols are implemented across the proxy chain.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;TLS/TCP fingerprinting&lt;/strong&gt;: Examines characteristics of TLS handshakes to detect proxy usage.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Timing analysis&lt;/strong&gt;: Measures minute differences in network latency that can indicate the presence of a proxy.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Proxy usage has evolved, and detection methods need to keep up. Simple IP-based blocking and static lists of "bad" addresses are no longer enough. They still have a place, but they cannot be the whole answer.&lt;/p&gt;
&lt;p&gt;Modern residential proxy detection has to evaluate the live request: IP context, connection behaviour, fingerprints, route, account state, request rate, and recent outcomes. On a low-risk page that may only justify logging. On login, signup, checkout, password reset, API key creation, or account recovery, the same signal may justify a challenge, hold, rate limit, or block.&lt;/p&gt;
&lt;p&gt;Peakhour's &lt;a href="/products/residential-proxy-detection/"&gt;residential proxy detection&lt;/a&gt; is built for that request-path decision. The point is not to label every residential IP as bad. The point is to give operators enough evidence to act when proxy use lines up with account abuse, fraud, scraping, or automated traffic.&lt;/p&gt;
&lt;p&gt;If you're still treating IP reputation as the main answer, you're already behind. It's time to stop blocking IPs and start understanding the request.&lt;/p&gt;
&lt;p&gt;Want a demo of our residential proxy detection? &lt;a class="btn btn-large btn-secondary" href="/contact-sales/"&gt;Contact us&lt;/a&gt;
for a live demo of our service.&lt;/p&gt;</content><category term="Residential Proxies"></category><category term="Residential Proxies"></category><category term="Fraud Prevention"></category><category term="Threat Detection"></category><category term="Credential Stuffing"></category><category term="DNS"></category><category term="Account Protection"></category></entry><entry><title>Application Security for Financial Services Under CPS 234</title><link href="https://www.peakhour.io/blog/credential-stuffing-defence-cps-234-compliance/" rel="alternate"></link><published>2024-07-29T10:00:00+10:00</published><updated>2024-07-29T10:00:00+10:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2024-07-29:/blog/credential-stuffing-defence-cps-234-compliance/</id><summary type="html">&lt;p&gt;Comprehensive analysis of credential stuffing threats against Australian financial institutions and how application security platforms help meet CPS 234 disclosure requirements whilst preventing account takeover attacks.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Recent credential stuffing attacks on prominent Australian retailers like &lt;a href="/blog/account-takeover-fraud-theiconic/"&gt;The Iconic&lt;/a&gt; and Dan Murphy's have brought this threat into sharper focus. For APRA-regulated entities, these incidents are a reminder that credential stuffing is not only an account takeover issue. It can also trigger assessment and disclosure obligations under Prudential Standard &lt;a href="https://www.apra.gov.au/sites/default/files/cps_234_july_2019_for_public_release.pdf"&gt;CPS 234&lt;/a&gt; Information Security.&lt;/p&gt;
&lt;h2&gt;The Rising Tide of Credential Stuffing&lt;/h2&gt;
&lt;p&gt;Credential stuffing is now common in Australia and globally. These attacks exploit password reuse across multiple sites. Cybercriminals use automated tools to test large volumes of stolen username and password combinations against websites, looking for accounts they can access without authorisation.&lt;/p&gt;
&lt;p&gt;The scale is large. According to recent studies, there are over 15 billion stolen credentials circulating on the internet. In 2020 alone, one large content delivery network reported more than 193 billion credential &lt;a href="/learning/security/credential-stuffing-defence/"&gt;stuffing attacks&lt;/a&gt; globally. For Australian businesses, the risk is significant and growing.&lt;/p&gt;
&lt;h2&gt;The Compounding Threat of Residential Proxies&lt;/h2&gt;
&lt;p&gt;The use of &lt;a href="/products/residential-proxy-detection/"&gt;residential proxies&lt;/a&gt; has increased the sophistication and effectiveness of &lt;a href="/learning/bots/anatomy-of-credential-stuffing-attack/"&gt;credential stuffing&lt;/a&gt; attacks. Residential proxies allow attackers to route their traffic through legitimate residential IP addresses, making automated activity look more like normal user behaviour.&lt;/p&gt;
&lt;p&gt;This technique poses several challenges:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Bypassing Traditional Defences&lt;/strong&gt;: Standard IP-based rate limiting and geo-blocking become ineffective when attacks come from diverse, legitimate-looking IP addresses.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Evading Detection&lt;/strong&gt;: Traffic from residential proxies is harder to distinguish from genuine user activity, complicating detection efforts.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Scalability&lt;/strong&gt;: Attackers can distribute their attempts across a large network of proxies, allowing for larger-scale attacks without triggering typical alarm thresholds.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Improved Success Rates&lt;/strong&gt;: By appearing to come from the same geographic area as legitimate users, these attacks are more likely to bypass location-based security measures.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;The Crabby Phenomenon&lt;/h2&gt;
&lt;p&gt;The emergence of sites like &lt;a href="/blog/credential-stuffing-threat-australian-businesses/"&gt;Crabby Cash&lt;/a&gt; shows how credential stuffing fits into a broader cybercrime market. These platforms serve as marketplaces for compromised accounts, making it easier for criminals to monetise successful credential stuffing attacks.&lt;/p&gt;
&lt;p&gt;Key points about Crabby Cash and similar sites:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Ease of Access&lt;/strong&gt;: These sites lower the barrier to entry for cybercriminals, providing ready access to compromised accounts.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Rapid Exploitation&lt;/strong&gt;: Once credentials are verified and listed on these sites, the window for detection and mitigation narrows significantly.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Diverse Targets&lt;/strong&gt;: The range of compromised accounts often spans multiple industries, including retail, financial services, and entertainment.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Ongoing Threat&lt;/strong&gt;: The existence of these marketplaces incentivises continuous credential stuffing attempts, creating a persistent threat landscape.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;The CPS 234 Disclosure Imperative&lt;/h2&gt;
&lt;p&gt;The prevalence of credential stuffing attacks, compounded by residential proxies and platforms like Crabby Cash, makes the disclosure requirements in CPS 234 directly relevant.&lt;/p&gt;
&lt;p&gt;Paragraph 35 of CPS 234 states:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;An APRA-regulated entity must notify APRA as soon as possible and, in any case, no later than 72 hours, after becoming aware of an information security incident that:&lt;/p&gt;
&lt;p&gt;(a) materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers; or&lt;/p&gt;
&lt;p&gt;(b) has been notified to other regulators, either in Australia or other jurisdictions.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The existence of sites like Crabby Cash can increase the potential impact of credential stuffing attacks, making them more likely to meet the materiality threshold for disclosure.&lt;/p&gt;
&lt;h2&gt;A Risk-Based Approach to Disclosure&lt;/h2&gt;
&lt;p&gt;To manage credential stuffing risk and meet CPS 234 obligations, organisations should take a risk-based approach to detection, mitigation, and disclosure. This involves:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Working with Specialised Providers&lt;/strong&gt;: Engage with cybersecurity providers who can offer insights into your organisation's exposure and risk levels based on:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Network fingerprinting&lt;/li&gt;
&lt;li&gt;Levels of breached credential login attempts&lt;/li&gt;
&lt;li&gt;Prevalence of residential proxy traffic as a high-correlating signal of attack&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Continuous Risk Assessment&lt;/strong&gt;: Regularly evaluate the risk posed by credential stuffing attacks, considering factors such as:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The volume and sophistication of attempts&lt;/li&gt;
&lt;li&gt;The success rate of attacks&lt;/li&gt;
&lt;li&gt;The potential impact on customers and the organisation&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Inadequate Defences as a Risk Signal&lt;/strong&gt;: Recognise that the absence of robust defences against credential stuffing is itself a risk signal. Organisations without advanced bot detection, multi-factor authentication, and behavioural analysis capabilities may face higher risk and should consider this in their disclosure decisions.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Adaptive Disclosure Thresholds&lt;/strong&gt;: Develop flexible, risk-based thresholds for APRA notification that take into account:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The current threat landscape&lt;/li&gt;
&lt;li&gt;The organisation's defensive capabilities&lt;/li&gt;
&lt;li&gt;The potential impact of a successful attack&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;Assessing Materiality in Light of These Threats&lt;/h2&gt;
&lt;p&gt;When assessing whether a credential stuffing incident meets the materiality threshold for APRA notification, entities should consider:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Scale of the Attack&lt;/strong&gt;: The number of accounts targeted or compromised.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Success Rate&lt;/strong&gt;: Whether any accounts were actually breached.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Exposure on Dark Web Markets&lt;/strong&gt;: If compromised credentials appear on sites like Crabby Cash.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Potential Financial Impact&lt;/strong&gt;: Both immediate losses and potential future exploitation.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Non-Financial Impacts&lt;/strong&gt;: Including reputational damage and loss of customer trust.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Broader Systemic Risk&lt;/strong&gt;: Whether the attack could impact the wider financial system.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Defensive Posture&lt;/strong&gt;: The adequacy of existing controls and the organisation's ability to detect and mitigate attacks.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;Proactive Measures and Controls&lt;/h2&gt;
&lt;p&gt;To mitigate the risks of credential stuffing attacks, particularly those leveraging residential proxies, APRA-regulated entities should implement robust controls as outlined in CPS 234 and &lt;a href="https://www.apra.gov.au/sites/default/files/cpg_234_information_security_june_2019_0.pdf"&gt;CPG 234&lt;/a&gt;:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Contextual Security Approach&lt;/strong&gt;: Implement a contextual security strategy that considers multiple factors to assess the risk of each login attempt, including device characteristics, user behaviour patterns, and network attributes.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Advanced Bot Detection&lt;/strong&gt;: Deploy bot management systems capable of identifying automated attempts, even when they come from diverse IP addresses.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Residential Proxy Detection&lt;/strong&gt;: Utilise specialised residential proxy detection tools to identify and mitigate threats from this increasingly common attack vector.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Multi-Factor Authentication&lt;/strong&gt;: As suggested in CPG 234, implement MFA for high-risk activities to provide an additional layer of security beyond passwords.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Behavioural Analysis&lt;/strong&gt;: Use analytics to detect anomalous login patterns that may indicate credential stuffing attempts.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Continuous Monitoring&lt;/strong&gt;: Implement real-time monitoring systems to quickly identify and respond to potential attacks.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Password Policies&lt;/strong&gt;: Encourage or enforce the use of unique, strong passwords to mitigate the impact of credential stuffing.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Customer Education&lt;/strong&gt;: Proactively inform customers about the risks of password reuse and the importance of strong, unique passwords.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Collaboration and Information Sharing&lt;/strong&gt;: Engage with industry peers and law enforcement to share threat intelligence and effective practices.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Adaptive Authentication&lt;/strong&gt;: Implement risk-based authentication that adjusts security requirements based on the perceived threat level of each login attempt.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;By adopting these measures, particularly a contextual security approach incorporating &lt;a href="/learning/threat-detection/what-is-residential-proxy-detection/"&gt;residential proxy&lt;/a&gt; detection, organisations can improve their resilience against credential stuffing attacks and better protect their customers' accounts.&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;Credential stuffing, residential proxies, and platforms like Crabby Cash make account takeover risk harder to assess and harder to contain. APRA-regulated entities need a proactive, risk-based approach to information security and regulatory compliance.&lt;/p&gt;
&lt;p&gt;APRA-regulated entities should treat credential stuffing attacks as more than a technical control problem. They are business risks that may require Board-level attention and, depending on materiality, regulatory disclosure under CPS 234. By implementing preventative measures, maintaining effective incident response capabilities, and keeping clear processes for assessing and reporting incidents, organisations can better protect themselves and their customers from this growing threat.&lt;/p&gt;
&lt;p&gt;In this environment, CPS 234 compliance is not only a reporting exercise. It depends on information security controls that protect the organisation, its customers, and the broader financial system before credential stuffing becomes a material incident.&lt;/p&gt;</content><category term="Account Protection"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Fraud Prevention"></category><category term="Application Security"></category><category term="DevSecOps"></category><category term="PCI DSS"></category></entry><entry><title>The Australian epidemic of Account Takeover attacks</title><link href="https://www.peakhour.io/blog/credential-stuffing-threat-australian-businesses/" rel="alternate"></link><published>2024-07-29T10:00:00+10:00</published><updated>2024-07-29T10:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-07-29:/blog/credential-stuffing-threat-australian-businesses/</id><summary type="html">&lt;p&gt;An in-depth look at the growing threat of credential stuffing attacks on Australian businesses, including recent case studies, defense challenges, and practical recommendations.&lt;/p&gt;</summary><content type="html">&lt;p&gt;In recent months, credential &lt;a href="/learning/security/credential-stuffing-defence/"&gt;stuffing attacks&lt;/a&gt; have hit a number of Australian businesses, leading to compromised accounts, fraudulent purchases, and customer complaints. The pattern is a reminder that account protection cannot stop at password policy or MFA alone.&lt;/p&gt;
&lt;h2&gt;A Case Study in Credential Stuffing&lt;/h2&gt;
&lt;p&gt;Security researcher Jacob Larsen has documented a credential stuffing operation targeting Australian businesses. Larsen's research, &lt;a href="https://larsencyber.com/blog/2024-05-20-crabby-credential-stuffing-australia-account-takeovers/"&gt;detailed in his blog post&lt;/a&gt;, describes the activity of a threat actor known as "Crabby," who has sold compromised Australian accounts since July 2023.&lt;/p&gt;
&lt;p&gt;Larsen's findings show:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The operation began with a threat actor called "Based" selling compromised accounts via Discord and dedicated websites.&lt;/li&gt;
&lt;li&gt;In November 2023, the operation was acquired by "Juicy," a notorious account vendor, and rebranded as "Crabby."&lt;/li&gt;
&lt;li&gt;As of May 2024, over 19,000 compromised accounts from various Australian brands were offered for sale.&lt;/li&gt;
&lt;li&gt;Low-level fraudsters purchasing these accounts have used them to make unauthorised purchases, often targeting high-value items for resale.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The Crabby operation shows how credential stuffing has moved beyond isolated login attempts. It now includes account marketplaces, low-level fraud buyers, and the &lt;a href="/blog/account-takeover-fraud-theiconic/"&gt;challenges&lt;/a&gt; businesses face once compromised accounts are monetised.&lt;/p&gt;
&lt;h2&gt;The Difficulty of Defense&lt;/h2&gt;
&lt;p&gt;Credential stuffing defence is harder when attacks are spread across &lt;a href="/blog/residential-proxies-unseen-challenges/"&gt;residential proxies&lt;/a&gt; and kept to single attempts per account.&lt;/p&gt;
&lt;h3&gt;Residential Proxies: The Invisible Threat&lt;/h3&gt;
&lt;p&gt;Residential proxies weaken traditional IP-based controls. These proxies use IP addresses assigned to real residential internet connections, so malicious traffic can look like normal customer traffic. That helps attackers bypass simple rate limiting and geolocation checks.&lt;/p&gt;
&lt;p&gt;That distribution makes login traffic harder to classify. Signals such as a high volume of attempts from one IP address become less useful when attackers can spread requests across a pool of residential IPs.&lt;/p&gt;
&lt;h3&gt;Single-Hit Attacks: Precision Strikes&lt;/h3&gt;
&lt;p&gt;Single-hit attacks are another way attackers avoid noisy patterns. In this approach, each stolen credential is used only once per target site, reducing the chance of detection by traditional rate-limiting or anomaly detection systems.&lt;/p&gt;
&lt;p&gt;By limiting each credential to one attempt, attackers avoid controls tuned to repeated login failures. A business can have rate limiting in place and still miss credential stuffing that never crosses those thresholds.&lt;/p&gt;
&lt;h2&gt;The Mobile API Conundrum&lt;/h2&gt;
&lt;p&gt;As mobile applications become a primary user interface, &lt;a href="/learning/bots/anatomy-of-credential-stuffing-attack/"&gt;credential stuffing&lt;/a&gt; also moves into mobile API traffic. Traditional bot protection often relies on JavaScript challenges or browser fingerprinting, which does not apply cleanly to attacks against mobile APIs.&lt;/p&gt;
&lt;p&gt;Mobile applications typically communicate with backend services via APIs, bypassing the browser environment where many bot detection techniques run. This creates several challenges:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Lack of JavaScript Execution&lt;/strong&gt;: Mobile APIs don't execute JavaScript, making it impossible to use browser-based bot detection techniques.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Limited Fingerprinting Capabilities&lt;/strong&gt;: Standardised mobile API requests make it difficult to distinguish between legitimate user activity and automated attacks based on request characteristics.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Increased Attack Surface&lt;/strong&gt;: More mobile apps means more potential entry points for attackers, making comprehensive protection more complex.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Authentication Simplification&lt;/strong&gt;: To improve user experience, mobile apps often use simplified authentication flows, which can create weaker controls against automation.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;This gap needs API-centred controls that can assess mobile login behaviour without relying on browser-only signals.&lt;/p&gt;
&lt;h2&gt;Framing Credential Stuffing as a Business Risk&lt;/h2&gt;
&lt;p&gt;Credential stuffing should be treated as a business risk, not just an authentication issue. The impact can include refunds, chargebacks, customer support load, reputational damage, and regulatory disclosure work.&lt;/p&gt;
&lt;h3&gt;Risk Quantification and Disclosure&lt;/h3&gt;
&lt;p&gt;Risk quantification gives security teams a way to explain credential stuffing in business terms. By applying frameworks like &lt;a href="https://www.opengroup.org/open-fair"&gt;FAIR&lt;/a&gt; (Factor Analysis of Information Risk), businesses can:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Quantify the potential financial impact of credential stuffing attacks.&lt;/li&gt;
&lt;li&gt;Prioritise security investments based on risk reduction potential.&lt;/li&gt;
&lt;li&gt;Communicate the importance of cybersecurity measures to non-technical stakeholders.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;&lt;a href="https://www.apra.gov.au/information-security"&gt;CPS 234&lt;/a&gt; in Australia adds a disclosure dimension for regulated entities. Businesses need to protect against credential stuffing and be able to explain their exposure, controls, and mitigation strategy.&lt;/p&gt;
&lt;h2&gt;The State of Credential Stuffing Defense in Australia&lt;/h2&gt;
&lt;p&gt;Our recent &lt;a href="/blog/credential-stuffing-and-account-takeover-survey-2024/"&gt;survey&lt;/a&gt; of Australian businesses shows uneven adoption of credential stuffing defences:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;While 77% of respondents use Multi-Factor Authentication (MFA), only 40% have implemented bot protection measures.&lt;/li&gt;
&lt;li&gt;15% of companies chose not to respond to questions about their security measures, suggesting potential gaps in protection.&lt;/li&gt;
&lt;li&gt;Just 29% of businesses check credentials against known breaches, leaving a large window of opportunity for attackers using stolen credentials.&lt;/li&gt;
&lt;li&gt;Only 15% of organisations use residential proxy detection, a critical component in identifying and mitigating modern credential stuffing attacks.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;These results suggest a gap between how credential stuffing is run now and the controls many Australian businesses have in place.&lt;/p&gt;
&lt;h2&gt;Recommendations for Enhanced Protection&lt;/h2&gt;
&lt;p&gt;Based on our analysis and survey results, businesses should review the following controls:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Implement Advanced Bot Protection&lt;/strong&gt;: Deploy controls that detect and mitigate bot attacks, including attacks using residential proxies.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Enhance Mobile API Security&lt;/strong&gt;: Use mobile API controls that focus on anomaly detection and behavioural analysis rather than browser-based techniques.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Adopt Risk-Based Authentication&lt;/strong&gt;: Implement dynamic authentication mechanisms that adjust based on the assessed risk of each session or transaction.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Utilise Breached Credential Databases&lt;/strong&gt;: Check user credentials against known breach databases and enforce password changes for compromised accounts.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Implement Residential Proxy Detection&lt;/strong&gt;: Use technology that identifies and mitigates traffic from residential proxy networks. This is a key control for modern credential stuffing attacks.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Apply Advanced Rate Limiting&lt;/strong&gt;: Utilise device fingerprinting and other identifiers beyond IP addresses to implement more effective rate limiting, particularly for single-hit attacks.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Employ Contextual Security&lt;/strong&gt;: Use signals such as user behaviour patterns, device characteristics, and historical usage to identify anomalies that may indicate credential stuffing attempts.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Quantify and Communicate Risk&lt;/strong&gt;: Use frameworks like FAIR to quantify the potential impact of credential stuffing attacks and communicate this risk to stakeholders.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Implement Continuous Monitoring&lt;/strong&gt;: Deploy real-time monitoring that detects patterns indicative of credential stuffing attacks, and update defences as attack methods change.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;These controls address the specific problems created by residential proxies, single-hit attempts, mobile API traffic, and weak credential hygiene. They also reflect the limits of IP-only rate limiting and browser-only bot detection.&lt;/p&gt;
&lt;p&gt;Credential stuffing defence works best as a layered programme: bot detection, residential proxy detection, breached credential checks, mobile API coverage, and risk reporting. The practical goal is to stop account takeover attempts earlier, reduce fraud exposure, and give security teams evidence they can act on.&lt;/p&gt;</content><category term="Account Protection"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Fraud Prevention"></category><category term="Residential Proxies"></category><category term="Threat Detection"></category><category term="DNS"></category></entry><entry><title>Account Protection and User Experience in Web Applications</title><link href="https://www.peakhour.io/blog/frictionless-customer-experiences/" rel="alternate"></link><published>2024-07-17T10:00:00+10:00</published><updated>2024-07-17T10:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-07-17:/blog/frictionless-customer-experiences/</id><summary type="html">&lt;p&gt;Explore strategies to enhance web application security without compromising user experience, focusing on contextual security and adaptive authentication measures.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Web applications face a wide range of security threats, but customer accounts are often the target. Our recent survey of
Australian businesses showed a need for stronger
&lt;a href="/solutions/use-case/contextual-security/"&gt;account protection&lt;/a&gt; measures. Those controls can add friction for users if they are applied too broadly. This article
looks at ways to balance security with &lt;a href="/learning/crux-chrome-user-experience/"&gt;user experience&lt;/a&gt; in web applications.&lt;/p&gt;
&lt;h2&gt;The Challenge: Compromised Credentials&lt;/h2&gt;
&lt;p&gt;Our survey found that 21% of organisations cited reputation loss as their main cybersecurity challenge. That
result points back to a practical security problem: compromised credentials.&lt;/p&gt;
&lt;p&gt;Causes of compromised logins include:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Phishing attacks&lt;/li&gt;
&lt;li&gt;Password reuse across multiple sites&lt;/li&gt;
&lt;li&gt;Data breaches exposing user credentials&lt;/li&gt;
&lt;li&gt;Credential stuffing attacks&lt;/li&gt;
&lt;li&gt;Keylogging malware&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;These risks make password-only authentication a weak control for customer account protection.&lt;/p&gt;
&lt;h2&gt;Moving Beyond Traditional Multi-Factor Authentication&lt;/h2&gt;
&lt;p&gt;Multi-Factor Authentication (MFA) adds a useful security layer, but it can also add friction. Our survey found that
only 40% of organisations implement bot protection, which leaves a clear gap around automated attacks.&lt;/p&gt;
&lt;p&gt;While 77% of surveyed businesses use MFA, that figure can hide other weaknesses. MFA alone doesn't
protect accounts from every attack path.&lt;/p&gt;
&lt;p&gt;&lt;a href="/blog/why-mfa-is-an-incomplete-defence/"&gt;Learn more about the limitations of traditional MFA&lt;/a&gt;&lt;/p&gt;
&lt;h2&gt;Contextual Security: A User-Focused Approach&lt;/h2&gt;
&lt;p&gt;Contextual security helps reduce that tradeoff between protection and user experience. It assesses the risk of each
login attempt using factors including:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Location of the login attempt&lt;/li&gt;
&lt;li&gt;Time of day&lt;/li&gt;
&lt;li&gt;Device used&lt;/li&gt;
&lt;li&gt;User behaviour patterns&lt;/li&gt;
&lt;li&gt;IP address reputation&lt;/li&gt;
&lt;li&gt;Network characteristics&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;By analysing these contextual factors, web applications can apply adaptive authentication without
asking every user to complete an extra step every time.&lt;/p&gt;
&lt;!-- ![Contextual Security Factors](/api/placeholder/600/400) --&gt;

&lt;p&gt;&lt;em&gt;Figure 1: Key factors considered in contextual security&lt;/em&gt;&lt;/p&gt;
&lt;h2&gt;Implementing Contextual Security in Web Applications&lt;/h2&gt;
&lt;p&gt;To improve account protection without adding unnecessary friction, consider these controls:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Real-time monitoring&lt;/strong&gt;: Track user activity and detect anomalies.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Adaptive authentication&lt;/strong&gt;: Adjust security requirements based on the risk level of each login attempt.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Behavioural analysis&lt;/strong&gt;: Use machine learning to understand user behaviour and flag suspicious activity.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Transparent security measures&lt;/strong&gt;: Apply checks that don't require additional user actions for low-risk scenarios.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Risk-based access controls&lt;/strong&gt;: Apply stricter security measures for high-risk actions or sensitive data access.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Bot protection&lt;/strong&gt;: Detect and mitigate automated attacks.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;API security&lt;/strong&gt;: Protect APIs from abuse and unauthorised access.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Residential proxy detection&lt;/strong&gt;: Identify and mitigate threats from residential proxy networks.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;For web applications, the goal is targeted control rather than blanket friction.&lt;/p&gt;
&lt;h2&gt;The Role of User Education&lt;/h2&gt;
&lt;p&gt;User education still has a place in a security strategy. Training and awareness programs can help users understand:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The importance of strong, unique passwords&lt;/li&gt;
&lt;li&gt;How to identify phishing attempts&lt;/li&gt;
&lt;li&gt;The risks of password reuse across multiple sites&lt;/li&gt;
&lt;li&gt;The importance of keeping software and devices updated&lt;/li&gt;
&lt;li&gt;How to recognise and report suspicious activities&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;User education works best when it supports technical controls rather than carrying the whole burden.&lt;/p&gt;
&lt;h2&gt;Addressing Mobile Application Security&lt;/h2&gt;
&lt;p&gt;Our survey indicates a potential gap in mobile security strategies. As mobile apps take on operations like banking and e-commerce, they become part of the application attack surface.&lt;/p&gt;
&lt;p&gt;Only 30% of respondents implement &lt;a href="/solutions/use-case/traffic-control/"&gt;Web Application&lt;/a&gt; and API Protection (WAAP), indicating many businesses may not be ready to protect their mobile assets. That gap leaves mobile applications exposed to attacks, including API abuse and data exfiltration.&lt;/p&gt;
&lt;!-- [Discover best practices for securing mobile applications](/mobile-application-security-best-practices/) --&gt;

&lt;h2&gt;The Threat of Residential Proxies&lt;/h2&gt;
&lt;p&gt;Our survey found that only 15% of organisations use residential proxy detection. That low adoption rate leaves a weakness in many businesses' security postures.&lt;/p&gt;
&lt;p&gt;Residential proxies can threaten account security by:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Bypassing traditional IP-based rate limiting&lt;/li&gt;
&lt;li&gt;Evading geolocation-based restrictions&lt;/li&gt;
&lt;li&gt;Facilitating large-scale credential stuffing attacks&lt;/li&gt;
&lt;li&gt;Enabling undetected data scraping&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Businesses should consider security providers that can detect and mitigate residential proxy threats.&lt;/p&gt;
&lt;p&gt;Learn more about &lt;a href="/products/residential-proxy-detection/"&gt;residential proxy&lt;/a&gt; detection&lt;/p&gt;
&lt;h2&gt;Finding the Balance&lt;/h2&gt;
&lt;p&gt;Balancing account protection and user experience in web applications requires more than a single control. By implementing contextual security measures, organisations can:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Improve security without unnecessary impact on user experience&lt;/li&gt;
&lt;li&gt;Adapt to threats in real-time&lt;/li&gt;
&lt;li&gt;Reduce the risk of compromised credentials and account takeovers&lt;/li&gt;
&lt;li&gt;Protect against threats like residential proxies and mobile application vulnerabilities&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;As threats change, account protection needs to change with them. Contextual security gives organisations a practical way to protect users and their reputation.&lt;/p&gt;</content><category term="Account Protection"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Application Security"></category><category term="Fraud Prevention"></category><category term="API Security"></category><category term="Magento"></category></entry><entry><title>The Cost of Credential Stuffing</title><link href="https://www.peakhour.io/blog/credential-stuffing-business-impact/" rel="alternate"></link><published>2024-07-17T00:00:00+10:00</published><updated>2024-07-17T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-07-17:/blog/credential-stuffing-business-impact/</id><summary type="html">&lt;p&gt;Explore how credential stuffing attacks and account takeovers affect business reputation and customer trust.&lt;/p&gt;</summary><content type="html">&lt;p&gt;In recent months, &lt;a href="/blog/account-takeover-fraud-theiconic/"&gt;Australian businesses have faced a wave of credential stuffing attacks&lt;/a&gt;.
These attacks do not require the affected website itself to be breached. They target customer accounts, leading to
fraudulent transactions. The damage is practical as well as reputational: disputed purchases, refunds, locked accounts,
and customers asking how someone else was able to use their account.&lt;/p&gt;
&lt;h2&gt;What is Credential Stuffing?&lt;/h2&gt;
&lt;p&gt;Credential stuffing occurs when attackers use login details obtained from a
data breach to access accounts on other sites. Criminals test millions of credentials against a target
website to identify working combinations. This attack affects users who reuse passwords across multiple services [1].&lt;/p&gt;
&lt;h2&gt;The Scale of the Problem&lt;/h2&gt;
&lt;p&gt;Tens of thousands of Australian online accounts are reported to have been accessed since late November 2023 [2].
The attacks affected major retailers and service providers, including:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The Iconic&lt;/li&gt;
&lt;li&gt;Guzman y Gomez&lt;/li&gt;
&lt;li&gt;Dan Murphy's&lt;/li&gt;
&lt;li&gt;Event Cinemas&lt;/li&gt;
&lt;li&gt;Stan&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;The Impact&lt;/h2&gt;
&lt;p&gt;While reusing passwords between sites has long been considered poor security practice, users still do it. Blaming the customer,
as 23andMe did in its response to an attack, is not a serious account protection strategy. Over 70% of Americans believe that
websites have a responsibility to prevent account takeovers via stuffing attacks. Not doing so can negatively impact a
business in several ways.&lt;/p&gt;
&lt;h3&gt;Financial Impact&lt;/h3&gt;
&lt;p&gt;The cost can fall on either the affected business or the affected customer. Fraudsters made significant purchases using
compromised accounts. One scammer claimed to have spent over $800 on
high-end alcohol at Dan Murphy's [2]. Others bought iPhones and clothing. Either the customer will be out of pocket,
or the business when the customer issues a chargeback on the purchase.&lt;/p&gt;
&lt;h3&gt;Reputation Damage&lt;/h3&gt;
&lt;p&gt;The attacks leave businesses dealing with customer complaints, refunds, and visible questions about account security. The Iconic
pledged to refund affected customers [1]. Dan Murphy's confirmed that a "small number of user accounts were
subject to fraudulent transactions" [3].&lt;/p&gt;
&lt;h3&gt;Customer Trust&lt;/h3&gt;
&lt;p&gt;These incidents erode customer trust. Users expect businesses to make account abuse difficult, even when the original
password leak happened somewhere else. When accounts are taken over, customers question the security practices of the
affected companies.&lt;/p&gt;
&lt;h3&gt;Business Response&lt;/h3&gt;
&lt;p&gt;Companies responded by:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Locking compromised accounts&lt;/li&gt;
&lt;li&gt;Issuing refunds&lt;/li&gt;
&lt;li&gt;Encouraging customers to change passwords&lt;/li&gt;
&lt;li&gt;Implementing stronger security measures&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Dan Murphy's advised customers to "practise good password hygiene, using a strong password and changing it periodically" [3].&lt;/p&gt;
&lt;h2&gt;Prevention Strategies&lt;/h2&gt;
&lt;p&gt;To protect &lt;a href="/learning/security/credential-stuffing-defence/"&gt;against credential&lt;/a&gt; stuffing, businesses should:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Implement multi-factor authentication&lt;/li&gt;
&lt;li&gt;Educate customers about password security&lt;/li&gt;
&lt;li&gt;Monitor login behaviour on their website&lt;/li&gt;
&lt;li&gt;Implement, and regularly update, security measures, including bot management and advanced rate limiting.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Credential stuffing is not just a password reuse problem. It is an account protection problem, and businesses that sell
online need controls that make stolen credentials harder to turn into purchases.&lt;/p&gt;
&lt;p&gt;Sources:&lt;/p&gt;
&lt;p&gt;[^1^] ABC News: "The Iconic was hit by criminals taking money by 'credential stuffing'. How can you stay safe?"
[^2^] Cyber Daily: "Guzman y Gomez, Dan Murphy's customers affected in credential stuffing campaign"
[^3^] The Sydney Morning Herald: "Thousands of Australians hacked in 'credential stuffing' credit card scam"&lt;/p&gt;</content><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Account Protection"></category><category term="Fraud Prevention"></category><category term="Residential Proxies"></category><category term="DNS"></category><category term="Magento"></category></entry><entry><title>2024 Survey Insights</title><link href="https://www.peakhour.io/blog/credential-stuffing-and-account-takeover-survey-2024-full/" rel="alternate"></link><published>2024-07-16T10:00:00+10:00</published><updated>2024-07-16T10:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-07-16:/blog/credential-stuffing-and-account-takeover-survey-2024-full/</id><summary type="html">&lt;p&gt;Survey data from Australian CISOs and CTOs shows broad MFA adoption, lower bot protection uptake, and early attention on residential proxy detection for credential stuffing and account takeover risk.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Recent &lt;a href="/blog/account-takeover-fraud-theiconic/"&gt;customer account takeovers&lt;/a&gt; have put account protection back on the agenda for Australian businesses. Our 2024 survey of Australian CISOs and CTOs shows how respondents are using MFA, bot protection, WAAP and residential proxy detection to manage credential stuffing and account takeover risk.&lt;/p&gt;
&lt;h2&gt;Account Protection: Current State and Future Plans&lt;/h2&gt;
&lt;p&gt;Our survey found 76.23% of Australian businesses use Multi-Factor Authentication (MFA). MFA is widely adopted, but it is not a complete account protection strategy on its own.&lt;/p&gt;
&lt;p&gt;&lt;img alt="Current Security Measures of Australian Businesses" src="/static/images/survey/current-security-measures.png"&gt;&lt;/p&gt;
&lt;p&gt;39.34% of organisations currently use bot protection. That matters because &lt;a href="/learning/bots/anatomy-of-credential-stuffing-attack/"&gt;credential stuffing&lt;/a&gt; is automated by design. Another 34.65% of businesses plan to implement bot protection in the future.&lt;/p&gt;
&lt;p&gt;&lt;img alt="Planned security measures" src="/static/images/survey/planned-security-measures.png"&gt;&lt;/p&gt;
&lt;p&gt;The pattern is clear: many organisations are treating MFA as a baseline and looking at additional controls around it.&lt;/p&gt;
&lt;h2&gt;Current Bot Management Solutions&lt;/h2&gt;
&lt;p&gt;The survey also asked which bot management solutions Australian businesses currently use. Cloudflare was the clear leader, with nearly half of respondents using its services.&lt;/p&gt;
&lt;p&gt;&lt;img alt="Current bot management solutions used by Australian businesses" src="/static/images/survey/bot-management-solutions-use.png"&gt;&lt;/p&gt;
&lt;p&gt;The breakdown of bot management solutions is as follows:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Cloudflare: 48.24%&lt;/li&gt;
&lt;li&gt;AWS WAF Bot Ruleset: 10.59%&lt;/li&gt;
&lt;li&gt;Other solutions make up the remaining percentage&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This distribution is concentrated around Cloudflare. Outside that, the remaining respondents are spread across other solutions rather than one clear alternative.&lt;/p&gt;
&lt;p&gt;Tooling matters here. Residential proxy traffic weakens IP reputation and simple rate limits, so detection capability, request grouping and response controls matter as much as vendor name. If residential proxies continue to feature in credential stuffing tooling, this mix may shift as teams look for more &lt;a href="/blog/proxy-detection-challenges-existing-solutions/"&gt;advanced protection measures&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;The Rising Threat of Residential Proxies&lt;/h2&gt;
&lt;p&gt;A key finding from our survey is the low adoption rate of &lt;a href="/products/residential-proxy-detection/"&gt;residential proxy&lt;/a&gt; (resip) detection, with only 13.11% of organisations currently using this technology. Planned adoption suggests teams are starting to account for the risk, but current coverage is still low.&lt;/p&gt;
&lt;p&gt;Resips are difficult for account security teams because malicious traffic can look like normal ISP traffic. They enable attackers to:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Bypass traditional IP-based rate limiting&lt;/li&gt;
&lt;li&gt;Evade geolocation-based restrictions&lt;/li&gt;
&lt;li&gt;Conduct large-scale credential stuffing attacks&lt;/li&gt;
&lt;li&gt;Scrape sensitive data undetected&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;The planned adoption of resip detection points to a shift in security strategies, away from simple IP-based controls and towards more specific network signals.&lt;/p&gt;
&lt;p&gt;&lt;a href="/blog/residential-proxies-unseen-challenges/"&gt;Learn more about the threat of residential proxies and how to detect them&lt;/a&gt;&lt;/p&gt;
&lt;h2&gt;Credential Stuffing: A Persistent and Growing Concern&lt;/h2&gt;
&lt;p&gt;Credential &lt;a href="/learning/security/credential-stuffing-defence/"&gt;stuffing attacks&lt;/a&gt; continue to be a major concern for businesses. These attacks exploit password reuse across multiple sites, allowing attackers to gain unauthorised access to user accounts.&lt;/p&gt;
&lt;p&gt;Respondents said they plan to implement several measures to reduce credential stuffing risk:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;34.65% plan to implement bot protection&lt;/li&gt;
&lt;li&gt;32.67% intend to add multi-factor authentication&lt;/li&gt;
&lt;li&gt;31.68% aim to check credentials against known breaches&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;These plans point to layered account protection rather than reliance on one control.&lt;/p&gt;
&lt;h2&gt;Mobile Applications: An Emerging Attack Surface&lt;/h2&gt;
&lt;p&gt;While mobile applications were not directly addressed in our survey, the data suggests a possible gap in mobile security strategies. The low adoption rate of Web &lt;a href="/learning/application-security/what-is-waap/"&gt;Application and&lt;/a&gt; API Protection (WAAP) - implemented by only 27.87% of respondents - indicates many businesses may be underprepared to protect their mobile assets.&lt;/p&gt;
&lt;p&gt;As mobile apps become primary interfaces for critical operations, this gap leaves businesses exposed to attacks that use the same automation and resip infrastructure seen on web login flows.&lt;/p&gt;
&lt;h2&gt;Balancing Security and User Experience&lt;/h2&gt;
&lt;p&gt;The operational problem is familiar: increase assurance without making login unusable. Key considerations for enhancing account protection while preserving usability include:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Expanding beyond MFA&lt;/li&gt;
&lt;li&gt;Implementing bot protection&lt;/li&gt;
&lt;li&gt;Adopting WAAP solutions&lt;/li&gt;
&lt;li&gt;Monitoring credential leaks&lt;/li&gt;
&lt;li&gt;Focusing on API security&lt;/li&gt;
&lt;li&gt;Implementing residential proxy detection&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;&lt;a href="/blog/frictionless-customer-experiences/"&gt;Explore strategies for balancing security and user experience&lt;/a&gt;&lt;/p&gt;
&lt;h2&gt;Executive vs Engineer Perspectives&lt;/h2&gt;
&lt;p&gt;Our survey found differences in cybersecurity priorities between executives and engineers:&lt;/p&gt;
&lt;p&gt;&lt;img alt="Executive vs Engineer Cybersecurity Priorities" src="/static/images/survey/planned-security-measures.png"&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Figure 3: Comparison of cybersecurity priorities between executives and engineers&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;The gap matters because budget, architecture, and incident response are often owned by different teams. Account protection plans need to cover both executive risk concerns and engineering realities, including the threat from RESIPs.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Our 2024 survey results point to a simple position: MFA is widely used, but it is not the whole account protection strategy. Bot protection, breached credential checks, WAAP and residential proxy detection are still unevenly adopted. That matters because credential stuffing does not depend on one weakness; it combines reused credentials, automation, proxy networks and weak response controls.&lt;/p&gt;
&lt;p&gt;Australian businesses do not need every control at once, but they need a layered plan that reflects how account takeover attacks are run now. For teams reviewing their controls, resip detection and mobile/API coverage are worth checking explicitly because both are easy to miss if the programme is still centred on MFA and IP reputation.&lt;/p&gt;</content><category term="Account Protection"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Residential Proxies"></category><category term="API Security"></category><category term="Fraud Prevention"></category><category term="Bot Management"></category></entry><entry><title>Malicious Bot Threats</title><link href="https://www.peakhour.io/blog/malicious-bot-threats-enterprise-application-security/" rel="alternate"></link><published>2020-08-12T13:00:00+10:00</published><updated>2020-08-12T13:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2020-08-12:/blog/malicious-bot-threats-enterprise-application-security/</id><summary type="html">&lt;p&gt;Comprehensive analysis of malicious bot threats targeting modern applications and APIs. Learn how enterprise bot management protects against automated attacks, credential stuffing, price scraping, and sophisticated bot-driven financial damage.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Bots are software applications that automate repetitive tasks without human interaction. They have become part of the
normal infrastructure of the internet. Some bots are useful; others are &lt;a href="/learning/bots/bot-management/"&gt;bad bots&lt;/a&gt;. The
latter are the concern for application and security teams.&lt;/p&gt;
&lt;p&gt;Bad bots keep changing and are increasingly difficult to detect. They can cause significant financial damage to
organisations by disrupting online operations, overwhelming websites with traffic, and stealing information such as web
content and ecommerce pricing data.&lt;/p&gt;
&lt;h2&gt;&lt;i class="fas fa-robot text-primary"&gt;&lt;/i&gt; Bad Bot Types &lt;i class="fas fa-robot text-primary"&gt;&lt;/i&gt;&lt;/h2&gt;
&lt;p&gt;Bad bots span a wide range of attack capabilities and scenarios. The following are the main categories these attacks
fall into:&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-mail-bulk text-primary"&gt;&lt;/i&gt; Spam Bots&lt;/h4&gt;
&lt;p&gt;Spam bots typically target blog comment sections, community portals and lead generation forms with 'garbage' or fake
content. They can also insert unwanted ads, malicious phishing links and banners into real-time conversations to disrupt
the service and attack users.&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-search text-primary"&gt;&lt;/i&gt; &amp;nbsp;Scraping Bots&lt;/h4&gt;
&lt;p&gt;Price, content and inventory scraping bots steal prices and product listings. This can damage an ecommerce site's
revenue stream and harm SEO rankings when duplicate content appears on competitor and bogus sites. These bots also
scrape product reviews, news, product catalogues and user-generated content. Scraper bots can harvest email addresses,
images and text from victim websites, then repurpose that material to pose as legitimate web pages.&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-passport text-primary"&gt;&lt;/i&gt; &amp;nbsp;Credential Stuffing Bots&lt;/h4&gt;
&lt;p&gt;Credential Stuffing Bots attempt to use login details from other sites, or run brute force guessing attacks against
customer and admin accounts. If successful, they can make purchases, harvest personal information and purchase
histories, make unauthorised cryptocurrency transactions, and transfer reward points and money to gift cards and air
miles.&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-ad text-primary"&gt;&lt;/i&gt; &amp;nbsp;Ad Click Fraud Bots&lt;/h4&gt;
&lt;p&gt;Ad Click Fraud Bots can sabotage competitors by clicking on their ads to drive costs up and exhaust budget caps. They
can also be used to scam advertisers with fake websites and ad clicks that pay the fraudster directly. In both
scenarios, bots automatically generate interactions or 'clicks' with ads, promotions and media.&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-credit-card text-primary"&gt;&lt;/i&gt; &amp;nbsp;Credit Card Stuffing Bots&lt;/h4&gt;
&lt;p&gt;Carding bots make repeated attempts to authorise stolen credit card credentials. This can leave merchant payment
processors with chargebacks and penalties, and may ultimately result in the victim merchant being prevented from
accepting credit cards altogether.&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-boxes text-primary"&gt;&lt;/i&gt; &amp;nbsp;Inventory Denial Bots&lt;/h4&gt;
&lt;p&gt;Cart Abandonment and Inventory Exhaustion bots automatically add hundreds of products to ecommerce shopping carts, then
abandon them. This can block consumers from buying products, reduce sales, manipulate conversion rates and damage a
brand’s reputation.&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-network-wired text-primary"&gt;&lt;/i&gt; &amp;nbsp;DDoS Bots and Botnets&lt;/h4&gt;
&lt;p&gt;&lt;a href="/ddos-protection/"&gt;Distributed Denial of Service (DDoS)&lt;/a&gt; attack bots and botnets are made up of thousands of compromised computers or
Internet of Things (IoT) devices called "zombies". They can slow down a website or take it offline completely by
flooding sites with massive amounts of artificially generated traffic. Researchers have found cybercriminals advertising
DDoS services on the dark web with basic fees to attack unprotected sites ranging from $50 to $100, while an attack on
a protected site can reach $400 or more.&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-ticket-alt text-primary"&gt;&lt;/i&gt; &amp;nbsp;Ticket Scalping Bots&lt;/h4&gt;
&lt;p&gt;Ticket scalping bots automatically buy tickets, enabling malicious users to resell them at a higher price. Examples
include using a bot to purchase concert tickets for major events the minute they go on sale.&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-user text-primary"&gt;&lt;/i&gt; &amp;nbsp;Fake Account Creation Bots&lt;/h4&gt;
&lt;p&gt;Fake Account Creation bots create fake accounts for criminal activities such as content spam, cryptocurrency laundering
and malware distribution. Fake accounts can compromise brands and attack users with malware such as ransomware.&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-user-secret text-primary"&gt;&lt;/i&gt; &amp;nbsp;Hacker Bots&lt;/h4&gt;
&lt;p&gt;Hacker bots can distribute malware, attack websites and compromise entire networks by exploiting security
vulnerabilities and injecting code into victim sites. Hacker bots can also perform &lt;a href="/products/ddos-protection/"&gt;DDoS attacks&lt;/a&gt; across web proxies
with browser-like signatures to disrupt business operations.&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-grin-alt text-primary"&gt;&lt;/i&gt; &amp;nbsp;Impersonator Bots&lt;/h4&gt;
&lt;p&gt;Impersonator bots copy human computer interactions and behaviours to fool users and bot mitigation defences while they
conduct malicious activity. Impersonator bots also include propaganda bots that influence political opinions on
platforms such as Facebook and Twitter. According to researchers at the University of Southern California who studied
bot use during the 2016 U.S. Presidential election, “the presence of social media bots can indeed negatively affect
democratic political discussion rather than improving it, which in turn can potentially alter public opinion.”&lt;/p&gt;
&lt;h2&gt;The Growing Threat&lt;/h2&gt;
&lt;p&gt;A report from Imperva found that roughly one-quarter of all website traffic in 2019 originated from bad bots, an
increase of 18% over 2018. 75% of that bad bot traffic is made up by Advanced persistent bots (APBs) that attempt to
evade detection by cycling through random IP addresses, using anonymous proxies, and changing their identities. The
industries hardest hit by bad bots in 2019 included financial services, education, ecommerce and government, as well as
media and airlines.&lt;/p&gt;
&lt;p&gt;Companies offering "Bad Bots as-a-Service"* are also gaining ground. These data scraping services sell bots as
easy-to-use packaged products that provide pricing and competitive intelligence, alternative data for finance, or
competitive insights managed by Web Data Extraction Specialists and Data Scraping Specialists.&lt;/p&gt;
&lt;p&gt;Malicious bot-for-hire services also offer personal and financial data harvesting, brute-force login services, ad click
fraud, spamming services, transaction fraud services, and Distributed Denial of Service (DDoS) attacks.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Bad bot activity continues to increase, so websites need security controls that can identify and stop them. Our next
article on bots will go over the common countermeasures used to combat bad bots.&lt;/p&gt;</content><category term="Bots"></category><category term="Bot Management"></category><category term="Credential Stuffing"></category><category term="API Security"></category><category term="Account Protection"></category><category term="Residential Proxies"></category><category term="Fraud Prevention"></category></entry></feed>