With articles coming out daily on new data breaches and leaks, perhaps you heard about the account takeover attacks at Basecamp, Dunkin Donuts, or TurboTax earlier this year. The attacks were invasive and the source of the attack vector is concerning. These incidents were made possible by credential stuffing—an attack methodology that utilizes stolen user names and passwords from one website, then uses them to access other web-based accounts.
This type of attack is difficult to defend against because organizations have a hard time discerning between legitimate customer usage and a bad actor gaining unauthorized access to the account. The main vulnerability is customer reuse of passwords across different accounts. Bad actors find full credentials from the dark web or internet and then will attempt to access an account other sites where the exposed credentials may be valid.
Successful credential stuffing attempts can directly lead to account takeover (ATO) and fraud. Today’s threat landscape features credential stuffing as a primary menace to every business in America:
Money, corporate reputation, and customer loyalty are all at risk and many organizations are challenged in thwarting credential stuffing attacks and automated bots because they have to balance it with ease-of-use for legitimate customers and users.
The price tag for ATO amounts to billions of dollars annually. While the success rate of a single login attempt remains low, a network of bots can attempt millions of logins per day and they are successful an estimated 0.5%-3% of the time, depending on the target. Some success in accessing accounts through credential stuffing is inevitable because many users are reusing their passwords across different accounts.
To determine the sectors most at risk of credential stuffing, follow the money. While gaining access to sensitive systems or data is one objective, extracting value from directly from the account is the motivation in roughly 75% of all these attacks.
In retail and e-commerce, accounts are tied directly to goods and services, so it’s not surprising to find this sector on the top of our ATO threat list. Electronic gift cards also offer a way for bad actors to obtain information, transfer value and spend money rapidly. Because of the value of the accounts, this industry sector faces the highest raw number of malicious attacks, with over 80% of login attempts being suspect.
Eyeglass firm Warby Parker was one of the more recent retail victims of credential stuffing. In Japan, a favorite retailer saw accounts for 460,000 customers exposed. Mitigating credential stuffing is one of the top priorities for more online retailers.
The common goal for a cybercriminal in this sector is to gain unauthorized access and utilize paid streaming services for free. While the legitimate account owner may be unencumbered, these acts will result in lost business and additional costs for the provider. Additionally, entertainment and social media accounts also contain additional data that may be used to steal identity or can be monetized.
Video sharing service DailyMotion last January confirmed a credential stuffing attack to a reporter from ZDNet.com just weeks after Reddit suffered a similar fate. In all cases, there is some potential for financial gain plus additional theft of email addresses, passwords, and other credentials.
The challenge for this industry is that additional security measures at login can create user friction for legitimate users. Additional friction is proven to lower user satisfaction rates and increase user abandonment. Some utilize additional authentication processes, others will force password resets. In May, Spotify implemented a password reset for customers citing suspicious activity exploiting stolen login data. Spotify stated that the music service had not experienced a data breach, but grumbling users were forced to change their passwords and took to social media to complain about the poor user experience.
Financial Services and banking firms control trillions of dollars, so these institutions are a top target for credential stuffing and ATO. Accenture recently reported that credential theft is a pervasive and dangerous threat in particular for financial services.
In August 2018, attackers made off with $13.5 million in a bank heist by compromising India’s Cosmos financial systems. The MoneyTaker hacking group is suspected of stealing millions from banks in the UK, US, and Russia over the past few years. One US credit union outlined how an automated credential stuffing targeted them in a single week, wreaking havoc on their systems. The credit union often sees a spike in traffic at lunchtime which could sometimes reach 45,000 login attempts over an hour. However, a botnet launched a brute-force attack which ramped up this rate to 4.2 million attempts over the course of seven days.
A successful ATO in this sector can yield a significant payday. According to Akamai’s 2018 State of the Internet (SOIT) analysis, near-constant attacks cost one leading financial entity $100,000 per day in fraud losses. Data seekers can also grab W-2 forms, pension funds, annuities, payroll data, and direct deposit details that will ultimately unlock other financial opportunities.
Compromised credentials are a rapidly growing threat to not only customers, but also financial services enterprise networks, especially if cybercriminals gain access to the username and password of an employee with access to IT systems or sensitive data. With this type of access, bad actors don’t require malware to access the information they want.
Higher education institutions are also a top target because they’re data rich. Their data trove includes lots of financial aid data on students, grants, employee tax records, and other financial objectives. Research data and other intellectual property is among the most sought-after data by attackers and nation state hackers.
In March 2018, over 300 universities worldwide suffered from a sophisticated and orchestrated cyberattack organized by 9 Iranian hackers. According to the official reports, 31 terabytes of “valuable intellectual property and data” was exposed.
To compound the issue, students often lack the experience and judgement to detect phishing schemes. To accommodate the student, staff and researcher needs, most universities and colleges rely on relatively accessible systems. This creates a challenge at many higher education institutions; balancing security with easy access for legitimate users. Most education institutions do not have large IT budgets and they often lack an IT resources to implement new safeguards. The risks faced by the higher education sector are unique but there are cost-effective tools that can specifically help this sector in particular.
The Healthcare sector is constantly under attack for credential stuffing and ATO, especially with increasingly connected medical devices. For example, Sutter Health, which serves over 3 million patients, deals with countless cyberattacks daily. It was hit with around 87 billion cyberthreats in 2018 alone. Attacks on healthcare organizations are increasing every year.
It’s not just billing data that hackers seek from the healthcare sector. Medical records on individual patients often bring top dollar on Dark Web marketplaces. The data can trigger identity theft, credit card fraud, and much more. Stolen health insurance details can also be used to obtain free medical or dental care.
Like some of the other industries, there is a tension between healthcare cybersecurity experts who want to secure systems and stakeholders whose priorities are patient care. It’s key for doctors and medical staff to understand the importance of cybersecurity, but it can be a hard sell for busy clinicians.
While not a top target in terms of cash jackpots, small businesses often face risks for credential stuffing and ATO that are out of proportion with their size. Small businesses often have smaller IT budgets and staff, so they are often less focused on security. Entrepreneurs may take solace in the belief that they’re too tiny to target. That is a false narrative.
Verizon’s most recent DBIR documented that 43% of all data breaches last year targeted this sector. And just like more extensive operations, small firms are reluctant to create a cumbersome online login process for their users. For online merchants, fear of creating friction in the shopping process leads to fear that shoppers will follow the easy path and move to a competitor. Often, this accounts for the lack of proactive measures employed.
Travel and loyalty plans can also attract hackers who seek free goods. Numerous credit card and other loyalty programs offer gift cards in exchange for points. Airlines mileage plans are another target for credential stuffing. Even online pizza companies can fall victim to credential stuffing and send loyal customers’ rewards to a hungry intruder.
Estimates vary, but they all agree that credential stuffing costs US businesses billions of dollars annually. Between 80 and 90 percent of an online retailer’s web traffic is made up of credential stuffing attacks and is costing the U.S. banking industry $50 million on a daily basis. In addition to large financial losses, you risk losing loyal customers. An organization’s reputation is hard to value in terms of dollars when it comes to account takeover or a data breach, but it also needs to be carefully considered.
It is difficult to overstate the value of screening for compromised credentials. Credential reuse is a nightmare for any enterprise—one that is likely to grow worse as long as consumers insist on reusing passwords and the average number of accounts created by user increases every year.
Recently, the National Institute for Standards and Testing (NIST) adopted guidelines suggesting that all organizations screen their login process for compromised credentials. If done seamlessly, screening can practically eliminate the friction that users feel with 2FA and the false positives/negatives associated with risk-based authentication.
Is your business interested in bettering the user experience while increasing security during login seamlessly? If yes, you should be considering compromised credential screening. For more information, visit: https://www.enzoic.com/account-takeover-prevention/