2024 is the year of elections, with more voters than ever before hitting the polls across at least 64 countries. This summer, voters across the United Kingdom participated in the July 4th general election, electing 650 members of Parliament to the House of Commons. With the surge in elections has come a surge in campaign donations, resulting in large volumes of transactions being processed by donation platforms, making them attractive targets for cybercriminals.

Donors often provide personal and financial information, such as names, addresses, and credit card details. Securing this information is crucial to prevent identity theft and financial fraud, which can have severe consequences for individuals and damage public trust in the platforms.

Trust in the integrity and security of donation platforms is vital for encouraging continued election participation and contributions. A breach or data leak could undermine confidence, leading to reduced donor engagement and potential financial losses for political campaigns.

Security Assessment of Donation Sites

DataDome tested the donation platforms for the UK’s seven major political parties (Labour, Conservatives, Liberal Democrats, Reform UK, SNP, Plaid Cymru and Green Party) in order to assess their security measures against automated and fraudulent activities.

Key findings:

Most Donation Sites Lack Critical Security Measures

• When evaluating the seven donation sites, all lacked critical security measures. Only three of the sites, Plaid Cymru, SNP, and Reform UK, had a login endpoint. Regardless of login endpoint, every site was missing critical security features to protect against bots and credential stuffing attacks.
• Only two of the seven websites, Labour and SNP, leverage reCAPTCHA, and even then they only use the security feature on account creation pages, not on login pages. The use of reCAPTCHA alone is not enough to stop fraud with the trending use of CAPTCHA farms, leaving these sites still vulnerable to bots.
• When evaluating the seven donation sites, DataDome found that most did not offer an option to login. This means it is possible to make donations without creating an official account, reducing the barrier to entry for bot traffic and fraudsters.
• The other platforms had no effective security measures, relying solely on basic defenses that are no match for today’s sophisticated bots and fraudsters.

Lack of Logins and Protected Accounts

• Unlike other donation sites DataDome has observed, the majority of the UK election-related donation sites lacked the ability to login or create an account to begin with. Many sites allow for donations without a login.
• Importantly, for the few sites that did use logins, login endpoints on these platforms were left completely unprotected, presenting a significant opportunity for account takeover. Using a popular open source bot framework, we were able to create a bot capable of successfully logging into our own account without being challenged by any security countermeasures.

Potential for Credential Stuffing Attacks

• The lack of robust protection on login endpoints exposes user accounts to credential stuffing attacks. These attacks can lead to unauthorised access, allowing attackers to harvest personal information and stored credit card data.
• Many users save their credit card information for recurring donations, further increasing the risk of financial theft and data breaches​.

Implications and Risks

• Credential Theft and Account Takeover: Attackers gaining access to user accounts can scrape sensitive information, including credit card details. This poses a high risk for both financial fraud and identity theft​​.
• Reputation Damage and Loss of Donor Trust: Security breaches can lead to significant reputational damage, potentially eroding donor trust and impacting future fundraising efforts​.
• Financial Implications: The financial losses from fraudulent activities, chargebacks, and potential legal penalties could be substantial for these platforms​​.

Recommendations

While the 2024 UK election is behind us, the next local elections will take place in less than a year, in May 2025, making now a prime time for donation sites and donors to prepare for future risks. To mitigate these risks, donation sites and donors alike can take steps to enhance their security posture.

Donation sites:

• Enhanced Authentication: Deploy two-factor authentication across all critical user interactions, including logins and transactions, to add a layer of protection against unauthorised access​.
• Advanced Bot Protection: Transition from basic CAPTCHA systems to more sophisticated bot management solutions that provide real-time detection and mitigation of automated threats​​. In particular, the bot protection must be resilient against sophisticated attackers capable of passing CAPTCHAs using CAPTCHA farms, be able to detect attacks started from thousands of IP addresses using proxies, and be able to detect bots that mimic human-like behavior.

Donors:

• Donors can shore up their account protection by using a unique and strong password generated using a password manager, either a dedicated one like Bitwarden or Dashlane, or the one from their browser. Credential stuffing attacks work because people reuse the same email/password across different websites/applications. Thus, if one of these services gets breached, attackers can try to reuse passwords from this leak on (an)other website(s).

Conclusion

The current surge in campaign donations underscores the urgent need for robust cybersecurity measures on donation platforms. Protecting donor information not only safeguards individuals but also upholds the integrity and trust essential for democratic participation. By prioritising security, campaigns can foster confidence among supporters, ensuring their continued engagement and financial backing in the electoral process.