Credential Stuffing

Defeating the Scourge of Credential Stuffing Attacks

August, 12, 20215 min Read

Credential stuffing attacks, where fraudsters try to match several username-password combinations to find valid matches has become a huge challenge for businesses. In addition to draining revenue and disrupting operational efficiencies, these attacks harm the customer experience. To help its partners end this scourge, Arkose Labs has introduced an industry-first, limited warranty against credential stuffing attacks

In recent times, account takeover (ATO) attacks have emerged as one of the fastest-growing challenges in the fraud landscape. In 2020, by the end of the year, there was a 90% increase in the number of account takeover attacks on the Arkose Labs network. Credential stuffing attacks provide the fuel to power these automated and high-volume account takeover attempts.

Fraudsters use bots to match thousands of username-password combinations and retrieve valid combinations in no time. Supplemented by databases, containing years of breached personal information, there is no dearth of raw materials for fraudsters to launch credential stuffing attacks at scale.

How a credential stuffing attack is orchestrated

A credential stuffing attack begins with harvesting data, which provides fraudsters with the raw material – a list of valid email IDs, usernames, and passwords – required to launch these attacks, which, unfortunately, are readily available on the web.

Fraudsters enter these stolen details into a tool, configure proxies, define the target and then deploy bots to find the right combination of login credentials. Once valid matches are found, fraudsters can break into genuine user accounts to steal money or use them to orchestrate further attacks. They can also make money quickly by selling off these validated combinations to third parties.

Losses to businesses are both direct and indirect

Credential stuffing attacks are cheap and easy to launch, but they can cause colossal losses to businesses. These include both direct and indirect losses.

Direct losses include costs associated with remediating the attack, restoring user accounts, and often refunding the amounts stolen from the compromised accounts. Given that resetting one compromised password costs companies nearly $70, fraud losses can translate into millions of dollars of losses to a business every year. In addition, credential stuffing can lead to reduced revenues.

In terms of operational costs, businesses experience an increased number of calls to contact centers, an increased burden on compliance and legal teams, more manual reviews, and the implementation of additional security protocols. Larger companies may spend more than $2 million per year in call center costs helping companies reset passwords. Furthermore, these automated login attempts can put undue strain on server usage and IT infrastructure besides taking anywhere between one and five hours to remediate each incident of compromised user accounts.

Negative publicity and discontented customers can cause irreparable damage to brand reputation. In the age of social media, where reviews and ratings play an important role in building a brand, any adverse comment or angry complaint can cause customer churn and adversely impact customer acquisition. Arkose Labs' survey has found 90% of the businesses polled, agreeing that these attacks negatively impacted user experience.

Target industry defines methods of monetization

There is no industry that has been spared credential stuffing attacks. Depending on the target industry, fraudsters use different methods to monetize their attacks.

Unsurprisingly, the financial services industry is the most attractive target for these attacks due to the monetary value they hold; and accounted for 41% of the total attacks on this industry segment.

In the gaming industry, attackers engage in real money trading, wherein, they steal digital items from compromised accounts and resell them to other gamers on gray market forums. They also abuse hacked accounts to use cheats or hacks to gain an in-game advantage.

Fraudsters seek out loyalty points from travel websites, which are used to buy hotels, airfare, car rentals, and cruises, to resell on third-party platforms.

Compromised social media accounts are generally used for phishing campaigns and scams instead of direct monetization. They are also used to create artificial spikes in 'likes' or 'followers' of select accounts.

The growing popularity of streaming services has provided fraudsters with an opportunity to compromise multiple accounts in order to resell access.

Inadequate fraud solutions weaken the fight against credential stuffing attacks

Credential stuffing attacks continue to pose a major challenge to businesses, despite investing heavily in anti-fraud technology. This is because many solutions are not only ineffective but also costly.

They end up introducing unnecessary friction, requiring customers to complete additional steps before being able to access their accounts.

These solutions are also rendered ineffective, as fraudsters have learned about the parameters these solutions seek and use this information to manipulate signals in order to appear as if they are legitimate traffic.

Arkose Labs' industry-first credential stuffing warranty

To help businesses fight this menace, Arkose Labs has introduced an industry-first, limited warranty against credential stuffing attacks. This makes Arkose Labs the only security vendor in the world that is sure of the efficacy of its platform and stands with its clients as a true partner and not merely a service provider.

This warranty provides commercial assurance that Arkose Labs will deliver the most robust protection against credential stuffing attacks available on the market today. Not only does this warranty include up to $1million loss recovery and a 48-hour remediation guarantee but it also promises a reduction in business risk exposure without impacting good user experience.

To learn more about Arkose Labs' Credential Stuffing Warranty, contact us now.