Companies are losing an average of US$4 million due to credential stuffing attacks each year, according to new research commissioned by Akamai, the intelligent edge platform for delivering and securing web experiences.
Credential stuffing plays on the likelihood that individuals will use the same username and password across multiple applications, sites and services.
Cybercriminals take stolen account details from one platform and deploy bots to log into vast numbers of others using the same credentials.
Once they have gained entry, criminals will abuse an account until its owners become aware, often making fraudulent purchases or stealing confidential information.
The research, carried out by Ponemon Institute, identified that the volume and severity of credential stuffing is increasing, with companies now experiencing an average of 11 credential stuffing attacks every month.
Each attack targets an average of 1,041 user accounts and can cause costly application downtime, loss of customers and involvement of IT security. This is resulting in annual average costs per business of US$1.2 million, US$1.6 million and US$1.2 million, respectively, in addition to the direct cost of fraud.
“We’re used to the idea that lists of stolen user IDs and passwords are being spilled across the Dark Web,” said Jay Coley Senior Director – Security Planning and Strategy Akamai Technologies.
“But the continued rise in credential stuffing attacks shows that the danger is almost unlimited. Cybercriminals are increasingly using botnets to validate those lists against other organisations’ login pages, widening the impact of a hack.
“It’s clear that companies have a responsibility to get ahead of this practice to protect their customers and employees – but they also need to protect their own bottom line.”
Managing credential complexity
Most organisations have a complex credential abuse attack surface. In fact, the research revealed that companies have an average of 26.5 customer-facing websites in production, providing a high number of entry points for bots to break in.
This is further complicated by the need for companies to provide login access for different types of clients, including customers on a desktop or laptop (87%), mobile web browsers (65%), third parties (40%) and mobile app users (36%).
The complexity of the attack surface helps to explain why just a third of companies say they have good visibility into credential stuffing attacks (35%) and believe attacks against their websites are quickly detected and remediated (36%).
Coley said: “Modern websites are sprawling entities that can comprise hundreds or thousands of web pages and support many different types of clients and traffic. Companies understanding their website architecture and how clients flow from different pages to their login endpoints is essential to successfully mitigating credential stuffing attacks – and keeping costs under control.”
Identifying the imposters
Organisations are struggling to identify the imposters, with the majority (88%) of respondents agreeing it is difficult to tell real employees and customers from criminal intruders. This challenge is not being helped by a lack of clear ownership in the business, with over a third (37%) of respondents saying no one function is leading on the identification and prevention of credential stuffing attacks.
Coley concluded: “The best way to beat a bot is to treat them for what they are: non-human. Most behave nothing like real people but their methods are becoming more sophisticated. This is why companies need bot management tools to monitor their behaviours and distinguish bots from genuine log-in attempts.
“Instead of standard log-in systems which just check whether a username and password match, they need to look at key-press patterns, mouse movements and even the orientation of a mobile device. With the potential cost running into the millions, the urgency to identify and put the breaks on these bots has never been greater.”