Fraud Prevention

Credential Stuffing Attacks Continue to be a Major Driver of Fraud

February 16, 20215 min Read

Credential Stuffing Attacks Are On the Rise blog

Credential stuffing attacks, where fraudsters test the validity of user login information, were the major attack vector in 2020. The outlook for 2021 doesn't look good either, as attackers will continue testing stolen credentials at scale. 

2020 introduced millions of homebound consumers to the digital world for practically every aspect of their lives. To access any digital service— for work, collaboration, education, banking, shopping, entertainment, socializing, and more— these digital debutants needed to create new accounts. This explosion of new digital users has opened up the attack surface for fraudsters to launch credential stuffing attacks like never before.

The rise and rise of credential stuffing attacks

In Q4 2020, the number of credential stuffing attacks detected on the Arkose Labs network more than doubled compared to Q3 and rose nearly 90% from Q1— the period when lockdowns were announced globally. Fraudsters mobilized all their resources for credential stuffing attacks at scale that would help them harvest valid username-password combinations. These verified credentials form the bedrock of successful account takeover attacks that fuel numerous downstream fraud and criminal activities. Lately, there has been such a huge increase in credential stuffing attacks that even the FBI had to release a notification against this rising menace.

Fraudsters usually rely on malicious bots to drive the credential stuffing attacks, as this enables them to verify thousands of credentials in no time. Credential stuffing with bots is a low-value, high-volume activity, so fraudsters ramp up the attacks in a cost-efficient manner and render these attacks profitable. Advanced bots with the capability to roughly mimic ordinary devices used by humans are easily and cheaply available. So too are criminal toolkits and crime-as-a-service. All these factors together make it extremely easy for fraudsters to launch successful credential stuffing attacks.

As more people continue to use digital channels for the convenience they offer, businesses are witnessing heightened digital traffic throughout the year. This presents a ripe opportunity for fraudsters to steal user credentials and use them for account takeover attacks across industries. Our Q1 2021 Fraud and Abuse Report reveals that every industry saw relentless account takeover attempts. Compromised user accounts are lucrative not only for the money or the loyalty points they contain but also because they have a wealth of information such as passwords and details of other linked accounts. Further, these accounts can be used as a launchpad for many criminal activities— spam, payment fraud, money laundering, phishing, and a lot more.

Businesses cannot rely on legacy solutions to protect consumer accounts

It’s clear that there will be no respite from credential stuffing attacks in 2021. This is because attackers will test stolen credentials to repeatedly launch account takeover attacks. Therefore, digital businesses must take proactive steps to protect consumer accounts from this impending onslaught. It will not be easy to fight a tech-savvy opponent that keeps iterating on attack techniques and blending in with genuine users to disrupt the differentiation of good and bad behaviors.

Legacy bot solutions are no match for today's advanced bots that can easily sail past these obsolete barriers. These outdated solutions only add unnecessary friction that degrades user experience for authentic users. It is therefore important for digital businesses to adopt the right approach and the right tools that empower them to strike a fine balance between protection from credential stuffing attacks and maintaining a great digital experience for authentic customers.

As digital businesses propel business growth and retain the influx of new customers in such a complicated threat landscape, they will need to rethink their defense approach. They need a fresh approach that enables them to accurately spot the attackers without affecting the digital journeys of authentic users. This is a tough ask-- consumer behavior keeps evolving and attackers use every tool to bypass the barriers to entry that businesses use to stop the bad actors.

Global businesses trust Arkose Labs to fight automated credential stuffing attacks

The Arkose Labs Bot Manager platform is a trusted tool that highly reputed global businesses deploy in their fight against automated credential stuffing attacks. The platform shifts the attack surface to its own network, which protects the business network and triages the incoming user traffic. A hard block of any user may mistakenly lower revenue generation. Instead, users get a chance to prove their authenticity by solving a dynamic enforcement challenge with sharp, clear 3D images. Nearly always, good users do not even see the challenge and the few that do see the challenge solve it easily. This helps maintain a superlative digital experience for authentic users.

By contrast, bots and scripts fail the challenge instantly due to the resilience of the dynamic 3D challenges that are trained against the most advanced machine vision technology. These enforcement challenges increase in complexity according to the risk assessment of the user. They also slow down humans who are paid by attackers to solve challenges, wasting their time and resources to such an extent that their employer is forced to give up.

The feedback cycle between the risk engine and the challenge-response mechanism—Arkose MatchKey— ensures that the platform continuously learns from every user session in real-time. This helps it adapt to the evolving attack techniques and improve future risk assessments.

To learn why the Arkose Labs platform is the right tool to fight automated credential attacks while preserving the user experience, please book a demo now.