Account Takeover / Credential Stuffing

The Economics of Account Takeover

September, 28, 20223 min Read

Attackers abuse websites and attack consumers’ digital accounts to make money, and they look for vulnerable targets, exploit weak links, and attempt to bypass defense mechanisms. But, with the right defense in place, the associated costs involved in an attack may crush the attackers’ ROI, forcing them to give up and move on.

The ROI of ATO Attacks

Account takeovers are a huge challenge for digital businesses; one in four login attempts is a credential stuffing attack. In 2021, credential stuffing was recognized as one of the OWASP top 10 web application security risks under the classification “identification and authentication failure.” Consumers’ digital accounts are attractive targets because attackers can monetize the assets through a sale to third parties, or use them as a launchpad for various other criminal activities.

Arkose Labs is on a mission to create an online environment where all consumers are protected from malicious activity. We work towards this goal by bankrupting the business model of fraud and making the attack economically less attractive so it is not worthwhile for attackers to continue with the attack.

To understand the economics of account takeover attacks and find out the tipping point where an ATO attack would become financially non-viable, Arkose Labs released The Economics of Account Takeover Attacks.

5 Factors Affecting the ROI of an Account Takeover Attack

The report shows that the factors affecting the ROI of a credential stuffing attack include:

  • Quality of the username/password combo list harvested
  • Average resell price of consumer accounts based on the industry
  • Skillset of the attacker to develop and deploy a complex software
  • Reputation of the attacker as a seller on the dark web
  • Performance of the product and team defending the web site

A fraudster can make more money than a mid-level software developer if they choose a proper target. For example, an attack against an e-commerce or social media website protected with a Web Application Firewall solution is highly profitable for someone who lives in Venezuela, Belarus, Cambodia, Tunisia, El Salvador, Ukraine, or Macedonia. But the same attack targeting a site protected with a bot management or fraud detection product would yield a much smaller return, or even incur a significant loss. In general, attackers who target fintech, banking, or gaming sites will make greater profits than if they held a legitimate professional job.

The Solution: Purpose-Built Security

The report highlights the ways in which attackers take a path of least resistance and go after websites that are either not protected or have inadequate protection mechanisms such as a Web Application Firewall. On the other hand, a well-protected site with advanced defense solutions requires attackers to invest more in the attack infrastructure and to craft a more sophisticated strategy to evade detection.

 Effective fraud prevention solutions include purpose-built web security products that combine 

The Economics of Account Takeover Attacks goes beyond describing the dynamics of an account takeover attack; it explains the monetization potential and why it is one of the most lucrative attack types for bad actors. These insights are critical to eroding fraudsters’ revenue potential, which can force them to abandon the attacks and move on to less protected targets.

To benefit from this intensive research, request your copy of the research paper, here.