Skip to main content
logo
Akamai Technologies, Inc. (AKAM)
NASDAQ: AKAM · Real-Time Price · USD
102.98
+3.18 (3.19%)
At close: Apr 30, 2026, 4:00 PM EDT
102.85
-0.13 (-0.13%)
After-hours: Apr 30, 2026, 6:23 PM EDT
← View all transcripts

Investor Update

Oct 22, 2020

Well, okay, it's actually 2 after. So let's go ahead and get started. You are here to hear the loyalty for sale, retail and hospitality fraud edition of the Akamai State of the Internet Security Report. Thank you all for joining. This will be recorded and the slides are available on the akamai.com site. So if you have any questions, please put them in the Q and A. If you would like to use some of these slides in your own presentations, please feel free. We would love to see people using these slides from this report. I am Martin McKay. I am the editorial director for Akamai's State of the Internet Security team. We're responsible for the SOTI. We're responsible for other types of publications that come out of Akamai. And Steve Reagan, who is the main writer and researcher for the report, works on my team. Unluckily, he couldn't join us today because of a little thing called vacation. Instead, I'm joined by Patrick Sullivan, who many of you may have heard before. Patrick is our CTO in charge of Global Securities Strategy. How are you doing, Patrick? Good morning, Martin. I'm doing really well. Thanks for having me. Looking forward to the session today. And then I'm also joined by Tony Lauro, who is Director of Security Technology and Strategy. And Tony, what is it you really do? Because I don't think you're strategic, are you? I'm very strategic. Thanks for asking. Yes, it's kind of hard sometimes to figure out what I do, but I'm trying to basically help our customers figure out how to use our technology and see if it fits as well as look at where they're going in the future to make sure that we're building new technology to match those needs. So again, just like Patrick said, thanks for having me here, and looking forward to the talk. You're going to be doing part of the talk, so it's not like you can just sit back and listen. And by the way, I fully understand. I've been in security for 20 years, but somehow I became somebody whose main job is actually going back and correcting spelling errors and putting commas and stuff in. I don't know where that came from. I wanted to start for start the conversation by just kind of letting people know what we're going to be talking about. We've been talking about credential abuse in different areas for quite some time. It's a really important thing we won. I mean, among other things, these use 2 factor authentication. But in I could probably list 15 off the top of my head where I have an account at different shops, at different grocery stores, at different airlines. I'm sure that Tony and Patrick, who travel as much if not more than I used to, have the same types of things. And so we as consumers are bouncing around between different types of accounts and have a lot of information in those. But the main thrust of our actual research this time was looking at those accounts. Because if you had an account compromise any site, there's a really good chance that at some point that has been added to one of the lists that are there. It's been tried against all of the different loyalty accounts. And so what we're seeing is large amounts of people who have not necessarily compromised a retailer or compromised a hotel, but have some other list of passwords that have been compromised in the past, and they're trying them against your site. They're trying them against the other loyalty programs, and they compile these lists and resell them. So that's kind of what we meant when we were talking about loyalty for sale. Patrick, do you have something to say on that? I think you nailed it, Martin. I mean, we've been kind of in hand to hand combat with bot operators conducting credential stuffing attacks for years. I won't reveal any of the stats until you get to them, but obviously, this sector sees an outsized share of those type of attacks. And I remember back in the early days of fighting credential stuff when we first tried a WAF based approach. And I distinctly remember the first time I bumped into this was a retailer that had their own loyalty program, and they were experiencing fraud there. So that's sort of where I began my journey in helping fight this type of fraud. So I think this segment is a really interesting one in the battle against credential stuffing. And that actually brings up a good point. Tony, where did you come to this from? I mean, you've had a lot of experience on this type of attack as well. Yeah. I love that loyalty for sale, the title sounds like episodes of The Sopranos. But, yes, I've definitely come to this from a security operations perspective. Working over the years in financial services and mobile payments company, etcetera, fraud and credential stuffing and even kind of the more benign process of account creation, this is all kind of driving new ways for us to try to detect what's happening, right? Because the bot operators are trying to look as much like actual humans as possible. And that sophistication has grown by leaps and bounds over the past 4 or 5 years. So, I'm coming at this from not just a technology perspective, but as I talk to the CSOs and other security business leaders, they're talking about like what's the adverse effect to our business, right? If I'm a retailer and I'm selling products to bots, I mean, I'm still selling products, but there's a more nuanced business problem, which is I'm not selling product to actual users who want it. They're having to pay 2 or 3 times extra on the secondary market to buy this product. Just say it's a rare product or something that's low inventory. And you're also missing out on the upsell and the relationship building opportunity as a retailer that you might not normally get that unless you're actually communicating with the end user and not just the bot. So there's a lot of different angles on this, but it's definitely something to keep an eye on for sure. Well, I wanted to finish off this part by talking about our guest essay from Jeff Borman. And the fact that for us security is a primary job skill, it is a primary concern. But for many of the people who run loyalty programs, it's an extra cost. It's something they don't necessarily want to spend money and time on. And that doesn't just apply to travel. That applies to anybody who's doing a lot of these types of programs. So it's a little scary when for us as security professionals to think about it and know that, hey, this may be 2nd or 3rd tier priority for a lot of companies, who deal with it, but it really is something that needs more attention. So credential abuse is huge. I mean, we're talking about nearly $100,000,000,000 over 2 years for all of our customers and $64,000,000,000 of those were directly related to commerce. So if you're selling something, you're commerce. And even worse, 90% of the credential abuse attacks we saw against customers were directly against retail customers. So it's not a little problem. I mean, if you look at June 15, you're seeing just against a commerce customer, actually set of commerce customers, dollars 230,000,000 credential stuffing Yes. Hopefully, they don't have to. I mean, I think this is an area where prevention is certainly preferred to a reactive approach. But the volume is built over time. Every year, these grow. I think the important part is we're getting better telemetry. These may have been hidden years ago when these were taking place and there weren't systems in place to be able to quantify the volume. So I think that's maybe the optimistic a follow-up on the ago was not quantifiable for most organizations. Part of the issue I think we need to do is I actually forgot to define what we even mean by credential business or credential stuffing or Tony, does it have a few other names that you can think of? And what does that mean to you? Yes. I mean, credential abuse is kind of a broad term. Credential stuffing or attackers use to validate if one of the credentials that they've downloaded from another previously exposed username and password list, if it works on the site that they're testing it against. And all of this, the end goal, especially in hospitality and even in retail, the end goal is ATO, account takeover, right? So whereas credential validation, if you will, is what they should be calling it, credential validation, that process might, for a certain group of attackers, that might be their main goal. They don't want to get into logging in as someone else and trying to steal loyalty points. They might just want to validate credentials. And then now that I have a valid account on a travel site or a retail site or a hotel site, now I can sell that for 5 times as much as I bought the whole list for, right? So that's part of the process. But as you kind of look at credential abuse in loose terms, it's essentially the process of validating accounts. And then the next step after validation is to log in as the user and then to commit fraud, some kind of fraud. So, it's kind of the first early stage. And that's why Patrick was saying detection is so huge here. Imagine with 1,000,000,000 and billions of credential abuse attempts, if you're getting a NetCool alert or a SIM alert every time there was a credential abuse attack, right? This can't be managed by your typical infosec processes. You've got to put automation in front of this because, frankly, the attackers are using automation as well. So where do all these attacks come? Oh, go ahead. Yes. Just to build on something Tony said, I certainly remember, again, in the evolution here, years ago, we would often get a request for help from a customer basically saying I'm under a DDoS attack. And that's how this would manifest itself, where maybe an adversary was not savvy enough to throttle their attacks, and they would bring down the whole authentication service based on the intensity with which they were testing credentials. So I think that kind of just speaks to the lack of visibility that the industry had at that time. I think these days, people are more educated about the threat, and they know kind of what to look for. And if we do get that call for help, it's much more frequently the correct diagnosis of the problem, where people are calling in and saying, hey, we're having a credential validation or a credential stuffing attack versus not understanding why the authentication service may have fallen down is kind of the first indication of a problem. So where is all coming from? Quite frankly, most of it's coming from the U. S. And what we're looking at here, by the way, I do want to be clear, we're looking at commerce attacks. So U. S. Is the greatest source and it's often the You can see on in the main column how You can see on in the main column how many of these we're seeing just against commerce on over 2 years, but you also can see on the right, what we're seeing as far as what we say here is global rank, but what we really mean is overall ranking. So U. S. Is not just commerce, it's everywhere. China, it's not just commerce, it's everywhere. And one last thing to be really clear about here, when Akamai is talking about the source of an attack, we're talking about the last hop before it hits Akamai servers. We're talking about not necessarily who's in control of it, but who where the traffic itself is coming from? Attribution, all of the things related to that are a conversation that we probably don't have time for today or even this year, quite frankly, because of how complex it can get. I mean, Tony, can you give a couple of hints of how complex attribution is in a case like this? Yeah, it's definitely tricky. As you mentioned, this is not necessarily recording where the threat actor is located, but rather where the host that they've compromised that they're using for their attack is located. So we've seen some interesting trends kind of rising over the past 18 months. One of them is the number of attacks that are originating from a single use IP address. This is the first time we've seen it before. That makes it incredibly difficult to try to perform attribution because, really, you're just seeing it for the first time. So, you've never built any kind of data set around what that activity has been from that particular host. But also, if I'm attacking a U. S.-based retailer, I certainly don't want to come from some random data center in Croatia. I want to be coming from where the customers are coming from, right, in the United States. So the attackers are building this infrastructure to basically of proxy networks and different systems to use to look like real users. And another trend that's been kind of interesting to track is they're going so far as to compromising home based IoT systems, right, because these are all just running embedded Linux. And if I'm an attacker and I'm coming from the home IP space of Tony Lauro in Dallas, Texas, for instance, on AT and T Internet Service, for instance, as a defender, it's much more difficult for me to positively So again, the attackers are really trying to look as much like a real user. So again, the attackers are really trying to look as much like a human, real user from the same geographies within the same system sets and AS numbers that you would typically see real user traffic coming from. So attribution is definitely very difficult. And the other point there, the last point is, okay, so you issue some kind of takedown or whatever the case is. The problem is that there will always be more. There's always going to be new threat actors and there's always going to be a new threat. So you have to think of things, at least we do, certainly think of things from a big picture perspective. We're trying to stop the onslaught. And if there's any other attribution that can be made from there, that's we're happy to help with that as well. But our goal is to stop the big problem that are facing our customers first. So I had moved on the slide, and I just wanted to point out something that Tony has already kind of hit upon, which is the U. S. Is the biggest target. We're also the biggest importer, if you will, of attack traffic. But I also find it interesting that China is a big importer of attack traffic. They have more coming into China than they did going out of it. But again, as Tony said, this is where the companies are headquartered. So even though the servers might be all over the world, the company headquarters are in these different countries. Boy, does network analysis get really hard in the modern age. So moving on a little bit, let's actually get into specifics. We have here a actual well, not live now, but this was one of the sales of credentials that was found as we're researching this. The two things to really be aware of with this one is, first of all, look at exactly how cheap it is to buy these accounts. You can get an account that's guaranteed good for $6 And this is not a super expensive account. There are some where you can get thousands of these accounts. In this case, it's one that's guaranteed. The other thing to notice is this merchant had been active for over a year at the time that we took the screenshot. This dark market has been shut down since then. So obviously, they're not still active. Patrick, do you have any thoughts on who's selling these things and what they're doing? Well, to say that they're not still active, maybe you qualify that within this form, right? I think this is a profession for some of these folks. So they'll likely move to this part of the business, right? There's destruction of infrastructure and then they just move to the next piece. But I think you nailed it. I mean this one is we don't want to overthink this. I mean, these are profit motivated attacks. As Tony touched on, there's an ecosystem that often relies on different specializations. So the people that of requests that validate those credentials, they're then selling that on to the next member of that ecosystem, right, in the life cycle of that attack. So again, another example of how these are being sold. In this case though, instead of selling an access to an account where people could like order groceries and then go pick them up, they're offering up a discounted gas prices. The thing to be aware of here is that the buyer is taking on a certain amount of risk when they're doing this because, well, they actually have to physically be there to take whatever gas or groceries. And yes, that's a little bit of risk, I would say. So and you notice that's the same seller, by the way. Here's where it gets interesting is when we're talking about loyalty cards where we're actually seeing it used for the points. I mean, 10,000 Hilton Honor points. Tony, do you travel much anymore? And do you have any idea of how many nights that you might be able to get for that? Because it's only going to cost you $3 for the account. Yes. I mean, you typically can get a night stay from $15,000 to maybe 30 1,000 for a really nice room, 35,000. But, yes, this is definitely something where there's a direct benefit and a direct risk to the person who using this, right? So, what we see is that many times, the threat actors are basically trying to just be in part of this. Nobody wants to own this whole process of credential validation and then ATO and then, obviously, committing fraud. But there are some people who are like, listen, you're never going to catch me. I'm in a country where it doesn't matter, and there's certainly hotels here that I can use. So I'm just going to transfer these off. You can also a lot of the loyalty points, you can transfer off the physical goods, right, a gift card, products, etcetera. So there is a lot of different ways that attackers can basically kind of money mule the loyalty points out of the system into something that's beneficial for them. Yes. And what we don't show is that there are accounts to buy that have 600,000 to 1,000,000 points or more and that's about $8.50 So, yes, these are this is lucrative for the seller. Moving on, this is where from some of our discussion got really interesting because this goes beyond just selling the account. We have folks like this seller, Tetra Custom Hotel Bookings, where they're giving a 25% to 35 percent discount on booking travel, booking hotels. They do it by either having transferred loyalty points, by abusing discount programs, having insider access, or third party services are being abused. And this is apparently in some of the underground economies, this is really a big business. I mean, Patrick, do you hear concerns about this when you're out and about and how much of this is going on? It's a large problem, right? And I think Tony touched on it. I mean, there's easy ways to monetize this directly or leverage the portability that exists in these mature loyalty platforms. And then maybe one other thing to think about, right, I mean, we see a variety anything with a login is subject to the type of abuse we're describing here. But I guess maybe the difference if you were to go after credit cards versus going after loyalty, when you start dealing in moving credit cards and then you have the large fraud teams from the major credit card providers that are keeping an eye on you. Here, it's up to each individual owner of that loyalty account to track this and to combat this themselves. So that also could be part of the calculation of why loyalty is so popular here. And it's not what we're talking about here today specifically with the loyalty programs being compromised, but maybe the first cousin of that challenge really around gift cards, right? So any retailer that offers gift cards, which are a popular choice, they face a very similar threat where you have this automation that will attempt to identify a valid gift card that has some type of a balance so that somebody could then defraud the rightful owner of that gift card. So that's also something that the folks in this space, a challenge that they all face as well. Good point. Good point. So how do they get a lot of this? Where are the attacks? What types of attacks are leading to some of these compromises that create these large groups of accounts? Quite frankly, more than anything, it's SQL injection attacks. It's some of these sites might have some poor hygiene in their code and that means that an attacker can get to them. SQL injection is almost 79% of all of the attacks that we saw against Commerce. Commerce is what the single biggest group, I think, for this type of attack. Dollars attacks against that's just SQL injection attacks against commerce. Tony, you want to take a quick second and kind of explain how people use SQL injection get to what's behind the site? Yes. I mean, what's interesting about this is that SQL injection has kind of always been one of the top attack types that we've seen. And the OWASP Top 10 has included it for quite some time. But what's interesting is closely following that is normally to on a web server. And the other one is making the web server execute a remote file that exists somewhere else. But all of this is really based on the principle of even if the, you know, the front end because that's what the front end app is allowing it to do. And, oh, yeah, that same database is probably being queried by other systems. So even if another system is not exposed to the web or exposed to a particular vulnerability, if I can use SQL injection to query that database and get access to data that may be hidden behind another application that is more secured, now I've got the best of both worlds, right? So that's why you see these things, sequel injection and LFI and RFI typically at the top, because it's really showing the attacker's mindset is they're trying to get access to something they're not supposed to have access to. And that's typically why you see that as a top attack cycle. Now I'm going to hit the next slide relatively quickly because it shouldn't come as a surprise. If you saw the earlier slides and heard what we said, the United States is the top target, period. And this goes for web application attack as as everything else. It's where many of the customers we have are headquartered, it's where many of the customers that are doing online. But you see the growth in the United Kingdom and Germany and other places. Now where is it coming from? This one was a little surprising. Russia, I mean, we're seeing it coming out of Russia. We're seeing it out of the United States. But seeing Russia take that top spot was a little surprising. And I think that in large part that comes back to what we call bull proof hosting. Either one of you want to take a stab at explaining what a bull proof hosting is or should I go for it? Yeah. Mark, I mean, it's pretty straightforward. I think in many countries, if there's a complaint about an organization hosting, nefarious activity, there's a process to, to decommission that activity. There are other areas where attackers, as long as they maybe don't attack targets in their own geography, they're not real they're protected essentially from those types of takedowns. And Martin, maybe just to give a glass half full on the breakdown of these web app attacks. It's interesting that cross site scripting has worked its way down the list. So I think there's a bit of optimism there where what maybe that we're seeing is some of the IDEs and tools that developers leverage as those are more automated today, some of those now will force a developer to use kind of a safe method. And if they use an unsafe method, in some cases, they have to actually explicitly include something in that language that acknowledges the I do feel like we are making progress in the software development. I do feel like we are making progress in the software development life cycle, and maybe we're seeing that play out in terms positives, the Netherlands used to be one of the single biggest offenders, I hate to say it that way, but that the single biggest sources and because of bulletproof hosting. But over the last few years, used to be a few years ago, almost every single report. So that's a good thing. But one of the things that Tony mentioned earlier is where are these attacks coming from? Actually, let me stop here for just a second saying, if you've got questions, please put them in the Q and A. We'd love to answer your questions. And we are kind of coming towards the end. So anything you want to know, let us know. But back to this particular issue, yes, I mean, this is how it happens. This is the raw material for much of the ecosystem where Ixico got compromised. They lost 17,204,000 records. We to log in and create validated databases. And that's what this is all about. That's what where this all starts. Tony, you want to elaborate on that a little bit? Yes. As I said before, I think what's interesting here is that there's no shortage of other organizations that are getting breached, right? I think one of the main goals is, and certainly from a Akamai perspective and our customers, we don't want your database through SQL injection or whatever other means to be compromised and end up as part of this list. Because one thing that's happened over the years, if you remember, remember you used to have like a unique username, like ladiesman227, right? That wasn't mine, but just as an example. But now all of your usernames are generally standardized on your email address, right, which is, of course, unique to you in your own email, but it's also not private. It's something that is freely shared to the world. So now kind of 50% of the username and password combination guest process is already done. So if you can take and this is where password stuffing comes in, you could take a single e mail address and try the top 25 most used passwords, and if one of those hit, and certainly, if you've used that email address and a specific password on this other site that the attacker is testing against? So, that's what the attackers are hoping for. And based on the results that we see, it works, right? People reuse passwords all the time, and that's what's kind of fueling this in the first place. So the question would be, what can you put on top of that authentication process to better secure the user account? And that's the question that everyone's pointing at right now. I think this is what I say, please use multi factor authentication wherever it's offered. Please use a password vault and randomized passwords anywhere you can. But that's off my soapbox now. So at the end here, we kind of wanted to take this in a little bit different direction because there's been a lot happening since we kind of cut off the data for the SOTI extortion DDoS, ransom DDoS. Patrick, I'm going to hand it to you because I think you're better suited to kind of explain what's been going on and what's happening on that than I am. Yeah. Absolutely. I think things have gotten really interesting on the DDoS front. Unfortunately, right after the interval here we had for the SOTI, so the data here probably won't reflect what's been happening. But I think as we saw 2020 begin to emerge, there was a lot of concern from many of the organizations that I work with that we're really dependent on remote access now in a way that we weren't before. So we want to make sure that, that is protected with always on DDoS mitigation. So that seemed to be kind of where everybody was focused. The good news is we haven't seen that become a major target. So we're not seeing targeted campaigns to take out remote access even though that's organizations are more susceptible to that this year. But what we have seen is probably the most sustained and most organized DDoS extortion campaign that we've seen in years. And really, this is a really straightforward attack. It's send a sample DDoS attack or reference a successful DDoS attack that you've been able to commit against another organization, follow that up with a to the organization requesting some Bitcoin against the threat of those attacks persisting. And when we say that this adversary is more organized, years ago, we would see the DDoS for Bitcoin campaigns and the extortion attempt would come in on a chat session with a customer service representative who was ill equipped to know what to do with that, so the chances of that getting to the right team within the organization were low. We see a lot of recon these days where they're clearly on LinkedIn and the extortion note goes directly to somebody who can action that, who knows what that threat is all about. The attacks have been as high as the 100 gigabits a second. So these aren't record breaking attacks that are causing us to rewrite or redesign anything. They're pretty manageable if you have cloud protection. But these are big enough that if you don't have robust DDoS mitigation services in place, Couple 100 gigabits a second will do damage, particularly as they're mixing in 9 or 10 different vectors as part of that. So there's it's certainly not all bark and no bite from these campaigns. There's been follow through. And maybe something else that's remarkable about it is just the breadth, right? So typically, we'll see these campaigns focus on one vertical. So we saw people using the same names as these groups purport to be 2 years ago, but they only went after a set of financial services organizations in a limited geography. This campaign has, according to the FBI, more than 1,000 organizations have been targeted. So it's across verticals, across geographies. That has been remarkable to follow just how pervasive these adversaries have been. Tony, you've been dealing with this a lot as well, haven't you? Yes. I remember in 2015, we saw a lot of activity from groups like R Mind team and Armada Collective and BB4 VC. And some of those groups are part of this current active campaign. What is kind of kind of speaking to what Patrick mentioned, there is a lot of sophistication here. One, just it was really surprising to us that they're actually getting these e mails directly to the people who need to see them. I mean, as Patrick mentioned, we kind of joke sometimes too, like, yes, if you're sending an extortion note, you enough, they've been doing that. But when you start to track the distortion process, like who's paid what to Bitcoin wallet, etcetera, that's where it gets a little bit more interesting because in some cases, in the past, we saw an extortion note that was emailed out, and the groups were so disorganized, it's like, oh, October 21st came and left, and we didn't get attacked. Well, it's because the extortion group forgot to come back and attack you as they promised, right? Because they're doing this to thousands of different people at the same time. They can't really manage that. This time around, it's been a lot more cooperative, so to speak, in terms of how they're working, assuming it's more than 1 person working this process across the group. The other thing, too, is that there's no guarantee that if you pay, they're not going to attack you or that if you pay, they're not going to say, hey, they've already paid, maybe they'll pay us more if we threaten them again. You know what I mean? And also the copycat groups, it would be very easy for an attacker to say, hey, here's who we are, and points to some article that talks about an actual group that's doing DDoS distortion. Pay money to this Bitcoin wallet, and sure enough, if you track those as well, those people are getting paid from time to time. So Well, actually Yes. That you bring up a very important point there is they claim to be this group or that group that has historically done these types of attacks. We really don't know. I mean, they can claim to be anybody they want, whether they're the real attacker or That's going to be something that law enforcement has to figure out. That's going to be something that law enforcement has to figure out. Yes. Lots of times, there's some tells maybe in the email and maybe in what they claim to know about the group that if you've been and discrepancies across what Bitcoin wallet address they're putting into the ransom note, that can also tell you sometimes if it's part of the same campaign. Maybe they just changed Bitcoin wallets or maybe it's a copycat group just trying to piggyback. So yes, you're right. It is difficult to track that at a large scale. And Patrick, one of the things oh, go ahead. Yes. Just one more point there. Not necessarily attributing the attack to an individual from a law enforcement and takedown perspective. But when you look at the attacks, there are TTPs you can see there. So there are things that can give you some confidence that this shows all the hallmarks of being in the same group based on the techniques and the type of attack that we're seeing when they follow through. So there are things you can do there to build some confidence that this is indeed the same crew because it's unlikely that somebody would have an attack that would look so similar, right? So there are some things you can get there from the attack perspective to build some profiles. And I want to ask you a question. All right. Well, one of the other things that you said earlier that I really want to have you come back to and highlight a little bit more, which is when we saw this 5 years ago, 7 years ago, it was mostly against finance. This in some ways started against finance, but then it's expanded. Could you talk a little bit about that and why it's not just one vertical, everybody's being targeted by these groups right now? Yes. That's true. I mean, it's hard to speak to their motivation, but there are, I guess maybe some organizations go whale hunting, right? They maybe they assume that going after the world's largest financial services organizations could net them larger kind of single payouts. Based on the pervasiveness of this campaign, it seems like they're at this more from a pervasiveness of this campaign, it seems like they're at this more from a volume perspective where they want to certainly, they're going after those type of targets in finance, but then they quickly pivoted to other verticals, right? And they appear almost to have like a CRM where they're so methodical, they're working kind vertical by vertical. And we've seen that in limited perspectives before, but typically, that kind of fizzles pretty quickly. We've where you'll start getting calls from a vertical and then the next week, it'll be a different vertical. So we've seen that in the past. But this one, much broader in their targeting than we historically see. And that actually brings us the end of the general discussion. If you've had any questions, please type them in now and we'll answer what we can. But as we're heading as we're kind of closing this off, Tony, I'll let you go first. What are kind of the thoughts you want people to take away from today's discussion? Well, I think the biggest thing for me is that the attacker toolset and tactics and ecosystem has continuously been growing. The types of attack tools, I mean, even in the case of DDoS, every once in a while, we'll see a very novel DDoS attack that has different attack sectors we haven't seen or maybe they're mixing multiple attack vectors, etcetera. But when it comes to retail and hospitality, especially from the fraud perspective, it's a lot more bespoke, right, because they're not trying to take down a system. In fact, what they're trying to do is interact with the system as though a normal user would, right? And there's one thing to say, hey, I want to get superuser access or root access on a system and download a database. That's one flaw. But more often than not, it's a more nuanced approach to trick you into thinking you're communicating with a valid user account, right? So this is where identity protection and multifactor authentication and things like that kind of fit into this big picture because just knowing if it's a bot or a user, I mean, heck, there's a lot of this communication that, especially for credential abuse, that happens over APIs. In fact, to a tune of 4 or 5 times the amount of credential abuse tax, we've reported this in previous SODIs, is targeting mobile APIs. And the basic reason is, 1, because you assume that the API traffic is machine to machine or application to machine traffic, right, from your mobile application and you're logging into the loyalty site, for instance, but the attackers take those calls and they make something different happen over that API call. So as you look at kind of how attackers are expanding that process, they're really trying to, again, integrate more with what a real user looks like and then take advantage of the things that they can under that assumption. So we've got one question so far from Andre. Can we discuss the recommendation for 2 factor authentication methods for loyalty programs? I mean, from my point of view, it's not necessarily that a consumer can enable this, but it's taking advantage of it as consumers. But Patrick, I'm going to turn this over to you. What should the loyal the people responsible for the loyalty programs be looking at instantiating and making accessible for people like end users like you and me? Yes. I mean, this is where sort of the battle between user experience and security comes to a head, right? So application based MFA is not perfect, but it would certainly make things more difficult for the adversary. But many organizations may not want to do that for everybody. So I think we're working with our customers to help give them signals around the risk of a request so that maybe you get into more of the model where maybe you start with sort of a risk based step up, where if I typically am traveling 80% of the time, but the last couple of months, I am pretty much locked into a particular geography and network. So if all of a sudden I were to pop up at a distant location, that would be risky. Along with some of the indication, is it a human? Is it a bot? So I think that's where we're trying to partner with our customers to strike that balance between friction and applying that friction at a smart point of interaction selectively. But in general, wherever we can introduce that MFA, that would be helpful along the way. And do you have any closing thoughts, Patrick, beyond that? Yes. So I think looking at this report, Martin, I think you pulled together an interesting report. So thank you and Steve for the research there. But it correlates with other trends that I see. So everything we've talked about today has been attacks targeting the web front end of the business. And given everything that's happened in 2020, there's a lot of face to face interactions that can't take place. But everything web related is off the charts, The traffic is breaking records. I think every one of the types of web attacks that we measure, as you highlighted here, they're all up. Sometimes you'll see these dips in credential stuffing where it slows down for a bit and it picks up, but we haven't really seen that cessation and attack volume occur. So I think that correlates what we see. And then the other thing that just jumps right out is if you look at the Verizon VBIR, it just seems like authentication is the preferred vulnerability or weak point that people are targeting, right? So account brute forcing, whether it's to get into the network for employees or on the consumer side that we're highlighting here, that's where the breaches tend to be occurring. So it's no surprise that we're seeing the increase here. I'm always for giving props to the folks over at that on the DBIR team, their friends and helped contribute to some of that data. So, glad you brought that up. My closing thought, a lot necessarily my consumer side, but it's we can't necessarily rely on everybody to be good from the consumer side and use complex passwords. So they should be using password faults. I use 1, you use 1, most of the people on this call probably use 1, but we need to encourage that more. And on the other side, we also need to encourage more companies to use multifactor authentication of some form, even if it's just, hey, I'm sending your phone a text, which yes, there's lots of ways to get around it, but even that is one more hurdle the bad guy has to overcome and makes it that much more expensive to compromise the account and therefore makes it less likely that they're going to try those accounts. So retail and travel and hospitality are some of the biggest targets around. This is something that's indicative across multiple vector across multiple types of companies. So as an industry or not as an industry, but as a organization, no, that's not even the right term, as a career path, security professionals need to be pushing that at companies that have remote as much as possible. Well, gentlemen, thank you very much for joining me on the call today and sharing opinions with everybody. So you can find more about the Akamai State of the United Security Report at akamai.com/soti. And I was serious, themselves. Patrick, have a good rest of your day.