Fraud Prevention

More Online Customers Means More Credential Stuffing Attacks

December 4, 20205 min Read

credential stuffing attacks

The global lockdowns have driven a large proportion of consumers to digital channels, which has also also led to a prolific rise in credential stuffing attacks. These are attacks where cybercriminals test the validity of user credentials at scale. Bots continue to remain a cost-effective vehicle for credential stuffing, as attackers can check thousands of username-password combinations in a matter of minutes

In Q3 2020, the Arkose Labs network saw its highest-ever levels of bot attacks, with credential stuffing being the main driver of that traffic. The Arkose Labs network detected and stopped nearly 770 million automated credential stuffing attacks during this quarter.

This rise in credential stuffing attacks can be attributed to the swathes of data that bad actors have access to due to years of data breaches. In addition, many consumers use the same username-password combinations across multiple digital services. When attackers succeed in harvesting user credentials that are used across digital accounts, they can then exploit all of these accounts.

Further, the easy availability of advanced bots, criminal toolkits, and the ability to outsource crime-as-a-service are making it easier than ever to plan and execute credential stuffing attacks at scale.

All industries are victims of credential stuffing attacks

According to the Arkose Labs Q4 2020 Fraud and Abuse Report, all industries experienced a steady stream of credential stuffing attacks during Q3 2020. However, the financial services sector remains a particularly attractive target for these attacks as it can fetch the highest returns. In fact, in October 2020, the Federal Bureau of Investigation (FBI) took note of and issued a warning against the rising menace of credential stuffing attacks in the financial services sector. According to the FBI, 41% of the cyber attacks in the financial sector came from credential stuffing.

Credential stuffing assumes great significance for attackers because the number of new people using digital channels is increasing daily. These stolen details pave the way for account takeover attacks that can power a lot of downstream fraud. Draining the funds from a compromised account is just the starting point of many criminal activities. Apart from opening new lines of credit, stealing saved passwords, and committing payment fraud, malicious actors also exploit the compromised accounts to send out spam, orchestrate phishing scams and steal personal data. They also use these compromised accounts for more sinister crimes and anti-social activities such as human trafficking and terrorism.

Automated credential stuffing is a headache for businesses

Credential stuffing is a high-volume, low-value activity. To make it economically viable, cybercriminals deploy bots that help scale up the attacks. This ensures that even if a small percentage of the attacks are successful, their cumulative effect will be financially lucrative. Further, attackers use advanced bots that can mimic human behavior to bypass authentication mechanisms that require more nuanced human interaction. This makes it even more challenging for digital businesses to fight the onslaught of automated credential stuffing attacks.

The first step to preempting and stopping credential stuffing attempts is to identify attackers from authentic users. However, legacy bot prevention solutions cannot stand up to the sophistication of the modern bots. Instead, they end up introducing unnecessary friction for authentic users, while bots easily bypass the defenses. This degrades the user experience and can lead to customer resentment.

Today, when businesses have an opportunity to expand their customer base by attracting new digital users, they cannot let bots and malicious humans hinder business growth. Further, security teams cannot review each user manually,  as it is not only time-consuming but also prone to human error. Businesses must, therefore, rethink their approach to fighting automated credential stuffing attempts and look for an approach that enables them to protect their customers’ and business interests long-term.

Ward off attacks, focus on customer experience

Leading global businesses trust Arkose Labs to ward off automated credential stuffing attacks so they can focus their efforts on business growth. The Arkose Bot Manager platform shifts the attack surface from the business on to its own network and triages all incoming users. The platform does not block any user. Instead, its risk engine assesses the risk associated with each user and informs the challenge-response mechanism to present targeted friction in the form of Arkose MatchKey challenges that are rendered in real-time.

Authentic users can easily clear these Arkose MatchKey challenges. This ensures their digital experience does not suffer in any way. Since the proprietary 3D puzzles are hardened against the most advanced machine vision technology, they cause bots and automated scripts to fail. Persistent malicious users continue facing incrementally complex challenges until they run out of resources trying to clear them. Should they choose to invest more time and resources, the economic viability of the credential stuffing attack depletes and bankrupts the fraud model, which forces attackers to give up and move on.

Arkose Bot Manager is a self-learning platform where the challenge-response mechanism feeds the insights from real-time user sessions into the risk engine, which helps continuously improve future predictions and adapt to the evolving attack tactics.

To learn how Arkose Labs helps leading businesses sustain growth by warding off automated credential stuffing attacks while offering a seamless customer experience, schedule a demo now.