Credential Stuffing

Arkose Labs Announced $1 Million Credential Stuffing Warranty

September 9, 20216 min Read

credential stuffing warranty

Billions of compromised records from data breaches, including username-password and email-password pairs, are the prime fuel for credential stuffing attacks. To protect its partners, Arkose Labs has introduced a limited warranty against credential stuffing attacks which includes up to $1 million in loss recovery and a 48-hour remediation guarantee.

Credential stuffing is a bane to digital commerce and affects millions of businesses and consumers. As part of our goal to make the internet a safer place for all, Arkose Labs is standing behind our product by announcing an insurance-backed, limited warranty against credential stuffing attacks. The warranty, a first of its kind in the industry, is a trendsetter as it brings the concept of cyber risk management to a larger world and has successfully piqued immense interest among vendors and companies alike.

Automation helps scale up the attacks at lower costs

A credential stuffing attack, in simple terms, refers to the matching of user credentials to retrieve valid combinations that can then be used for account takeover or simply to be resold to third parties. Often, weak passwords, reused passwords, and passwords that are stored with weak security is all it takes to orchestrate credential stuffing attacks. Automation allows achieving scale, which means even if only a small percentage of valid matches are found, these assume massive proportions. A small percentage of a very large number is still a substantial amount.

To make matters worse, the cost of credential stuffing attacks is low, whereas profits can be incredibly high. The most common use case of credential stuffing attacks is account takeover, which allows fraudsters to compromise user accounts and not only drain them off of the assets – money, reward points, saved information, and so on – but also to use them for many types of attacks. For instance, compromising accounts on say a video game platform can allow fraudsters to steal virtual gold that can be sold to other players who can get ahead in the game. Similarly, in the travel industry, fraudsters can break into a user's airline rewards account and use the stored miles to buy airline tickets, which can be monetized quickly by reselling somewhere else. 

At the end of the day, if the attacker has a million usernames and passwords and the success rate is 1%, they may still get 10,000 accounts. Even if they make a few dollars on an average per account, per successful attempt, they can still make substantial amounts of money.

However, just because fraudsters have compromised accounts and can use valid credentials to gain unauthorized access, businesses cannot simply introduce unnecessary friction to stop bad actors. Using multi-factor authentication (MFA), for example, to authenticate every single request can degrade user experience as fraudsters are creative enough to find a way to bypass the defenses. It continues to be a constant ongoing battle between fraudsters and businesses.

What's the best approach to stop fraud without compromising user experience?

At Arkose Labs, we are aware that we are up against a technically savvy opponent and it can be difficult to stop them mechanically. Therefore, we need a different approach to make the attack financially non-viable such that they abandon their efforts and move on.

Rather than mitigating or preventing attacks, Arkose Labs follows the approach of making the attacks financially unsustainable such that it deters the attackers. By increasing the cost of making the attack for the fraudster, Arkose Labs drastically erodes the potential return of their attack, causing attackers to give up and look for the next, easier target.

Making online crime not worthwhile

Arkose Labs is trying to make online crime not worthwhile, but there is still a fair bit of work ahead of us to achieve that. By introducing this Credential Stuffing Warranty, Arkose Labs has taken the first step to offer a service level agreement (SLA) to protect the interests of businesses and their customers. This warranty provides commercial assurance that Arkose Labs will deliver the most robust protection against credential stuffing attacks available on the market today. It includes up to $1 million recoverable for covered losses and a 48 hour remediation guarantee, in addition to the promise of reducing business risk exposure without impacting good user experience.

Arkose Labs' existing 100% SLA on hack remediation around automation also covers credential stuffing, which guarantees shutdown on automated attack with a timeline. That said, there is no silver bullet to mitigating attacks. Therefore, the objective is to increase the costs associated with a credential stuffing attack to a point where it is no longer financially salvageable for the attacker. It is possible that fraudsters use a mix of automation and human sweatshops to attack. While automation does the bulk of the work, humans step in when a more nuanced response is needed. However, that increases the costs of launching an attack. By further increasing the associated costs, returns from a credential stuffing attack can be depleted.

Get assured protection with Arkose Labs and its credential stuffing warranty

Currently, there is no penalty for a vendor making false claims to the customer and they can actually get away with them. When the product doesn't work, businesses and their users become vulnerable. However, by partnering with Arkose labs, not only do our partners get a team supporting and mitigating the threats, but also the assurance of having common losses associated with the compromise of accounts covered if for whatever reason it doesn't work. Since it's the user accounts that bad actors get into and cause losses to businesses, Arkose Labs' Credential Stuffing Warranty can help businesses limit these financial losses.

To learn more about Arkose Labs' Credential Stuffing Warranty, watch the on-demand webinar "Guaranteed Peace of Mind from Credential Stuffing Attacks" featuring Arkose Labs' co-founder and CEO Kevin Gosschalk, Arkose Labs’ Executive Board Member Jeremiah Grossman, and Founder of Have I Been Pwned? Troy Hunt as well as on-demand a Live Chat with Kevin Gosschalk and Patrice Boffa, Chief Customer Officer, who do a deep dive into warranty and the most user-centric approaches to stamping out automated attacks on logins long-term.