The rise of credential stuffing attacks globally is made possible by the tendency of customers' re-using the same credentials across different websites and attackers' easy access to stolen credential lists.
Credential stuffing attacks is the result of attackers using stolen credentials (username and passwords), validating logins using botnets and taking over accounts to commit fraud.
Examples of fraud can range from the purchase of goods, gift cards or voucher codes at e-commerce firms, to stealing points in loyalty programs of airlines and hotel chains.
Companies who have been the target of such attacks suffer from financial losses and increased rates of customer churn.
It is difficult for companies to differentiate between legitimate users from attackers as the stolen credentials may be valid.
In December 2017, security researchers found an interactive database on the Dark Web that contained over 1.4 billon clear text credentials, organized for easy search and retrieval.
The researchers validated that the credentials were valid by contacting a small subset of credential owners, many who were unaware that their credentials were exposed in past security breaches.
Tools such as Sentry MBA enables attackers to automate the validation process easily without the need to write their own scripts.
Akamai commissioned the Ponemon Institute to survey companies in Asia Pacific on the impact of credential stuffing, to determine the scale and financial impact.
Here are the key highlights from the research collated from 538 security professional who are familiar with credential stuffing and are responsible for the security of their companies' websites.
Companies experience an average of 12.2 credential stuffing attacks a month, with each attack impacting an average of 954 accounts.
· 51% of respondents agree that moving applications to the cloud have increased the risk of credential stuffing.
· 59% of respondents believe they have no visibility into credential stuffing attacks.
· Over 80% of respondents shared that it is difficult to detect and to remediate credential stuffing attacks.
· The average cost of credential stuffing excluding fraud is USD$3.85 million.
· The cost of fraud varies from USD $284,649 to USD$28.5 million.
For the full details of the research, you can download the report.