Credential Stuffing: Big Breaches Have Bot Attacks Ramping Up Fast
Posted December 20, 2018
A spike in large data breaches in recent months is fueling a credential stuffing epidemic around the world, as cybercriminals use login credentials from one business to hijack customer accounts at another.
Through the use of automated bots, they are able to carry out these attacks at a large enough scale that credential stuffing is emerging as a critical new data breach risk, as these login attacks can expose further sensitive information stored by consumers in these hacked accounts.
Credential stuffing is posing such an increased threat, that it is starting to rival more traditional network-based attacks as the major concern for organizations looking to stay out of the headlines for breaching customer data.
In August, thieves made off with $13.5 million in a bank heist precipitated by a credential stuffing attack. Other banks have also suffered from the same technique, resulting in the exposure of names, birthdates, account numbers, and transaction histories of banking customers.
And in November, Dunkin’ Donuts began informing some of its DD Perks program members that their accounts had been compromised in a similar fashion. According to ZDNet, there were over 30 billion fraudulent login attempts made through credential stuffing just within the last 12 months.
Central to this contagion: a slew of massive data breaches which have compromised record numbers of personal information. It’s estimated that more than 3.3 billion personal data files were stolen in just the first half of 2018.
Unfortunately, once credentials are stolen, the damage doesn’t stop at the company that’s been breached. In fact, their usefulness to cybercriminals is just getting started.
As Easy as ‘1234’
The fact is, far too many of us use the same password for numerous accounts—and we all tend to use the exact same ones. This year’s data breaches revealed that a shocking number of people share “password,” “1234,” and “5555” as their passwords on one or more (if not most) of their online accounts.
Which means the same credentials used to access a customer’s reward points account for their favorite coffee chain, for example, might also unlock other accounts—media streaming, dating, banking, you name it.
These login credentials are dishearteningly easy to acquire, too. Leading up to the 2018 holiday season, for instance, stolen customer login credentials for major retailers were for sale on the dark web for between $1.20 to $6.00 each, accounting for 51% of all black market credentials.
Social media logins, including instant messaging and dating sites, ranged between $1 to $10. Bank accounts and credit cards were going for $0.50 to $15.50. Once these credentials are harvested, they can be monetized.
A Growing Threat
For those just tuning in, credential stuffing involves using bots, or automated scripts, to login and hijack customer accounts en masse, usually from distributed points within a botnet.
In a typical scheme, cybercriminals run small scale credential testing attacks on a targeted site in order to separate out valid credentials before using them to defraud the business.
According to ThreatMetrix data, there were a staggering 2.6 billion bot attacks in the first half of 2018, and we have seen in times of elevated online activity, such as the recent Black Friday peak shopping week, bots emerge as the number one attack vector.
For instance, one of our retail clients was hit with a whopping 20 billion bot-based login attempts in a sustained attack that commenced on Cyber Monday. But more advanced attacks take a “low and slow” approach, trickling in at 1 to 2 logins per hour, making them very difficult to detect.
The average estimated losses from credential stuffing attacks is $6 million per company each year. Yet despite this, ZDNet reports that only 30% of companies have deployed tools to mitigate the threat, mostly out of fear it will diminish the customer experience. These companies need to urgently look to more advanced authentication technologies that can accurately distinguish between real users and cyberattacks in a way that is completely invisible to consumers.
Beat Bots, Break the Experience?
More traditional defenses against credential stuffing include multi-factor authentication, challenge-response tests, multi-step logins and other forms of out-of-bandwidth authentication. But forcing customers to jump through hoops to prove they are who they claim to be isn’t exactly a winning strategy these days.
According to studies in Harvard Business Review, 50% of consumers will bail on a transaction after even 10 seconds of added friction. And today’s tech-savvy consumer has no compunction about defecting to competitors that can deliver the ease, speed and convenience they demand.
In fact, it’s estimated that $1.6 trillion changes hands each year as consumers permanently defect from one brand to another due to a poor digital customer experience.
Some organizations will take their chances. Others will emphasize security over CX. But some will seek out modern, digital identity-based user verification and assessment solutions that have been shown to reduce fraud without adding friction.
Not Credentials, Identities
More advanced authentication solutions leverage behavioral biometrics, behavioral analytics and advanced machine learning to establish normative user activities and behaviors in order to instantly spot anomalies that may signal fraud or bot activity.
For example, with the ThreatMetrix solution, customers are recognized instantly, without the need for out-of-band authentication. Any mismatches in locations, behaviors, devices, accounts or any of hundreds of other dynamic variables immediately surface themselves, enabling the solution to pinpoint fraudulent logins and block them at lightning speed.
This kind of 360-degree visibility doesn’t come without challenges, however. For many organizations, the biggest hurdle will be gaining access to the kind of global, crowdsourced identity and threat intelligence needed to instantly assess the legitimacy and risk associated with even first time visitors.
The ThreatMetrix Digital Identity Network, for instance, sources shared intelligence gleaned from 110 million digital events each day, across 165,000 websites and apps in numerous industries worldwide. In real time, the network is able to detect when all or any part of an identity is being used in a fraudulent way. And when threats are identified by one organization in the network, they are known and neutralized by all.
Bots Be Gone
One retailer that has deployed digital identity-based solutions reports that it’s now able to block more than 90% of all bot traffic, and has cut overall bot-based login attempts by 50% without negatively impacting the user experience.
Either way, whether it’s digital identity-based solutions or something else entirely, businesses aiming to put something in place to battle bots had better get cranking.
To learn more about credential stuffing and how a digital identity-based approach to user authentication can help defeat it, download a solution brief about blocking bot-based account takeovers.