Credential Stuffing

Why Businesses Need a New Standard of Credential Stuffing Protection

October 22, 20216 min Read

credential stuffing

Credential stuffing is a common type of account takeover attack and provides the required fuel -- valid username-password combinations -- to successfully compromise user accounts. Despite significant investments in fraud mitigation, credential stuffing remains a fruitful tactic to circumvent authentication defenses and cost businesses money. It’s time for account security vendors to set a new standard for minimizing the impact of these attacks on digital businesses and their customers. 

Arkose Labs is on a mission to make the internet safer for everyone. This is a lofty goal as we are up against opponents who are technically savvy, have easy access to the latest tools and technology, adopt creative approaches to scale up their attacks, and above all are continuously mobilizing their resources to maximize exploits. Continuous pilferage of consumers’ personally identifiable information, by way of frequent data breaches, is further supplementing their attacks, making it difficult for digital businesses to balance account security with user experience.

Digital Accounts are Vulnerable to Credential Stuffing

As digital accounts become central to users’ online journeys, they are also increasingly becoming the target for attackers, who try to gain unauthorized access through account takeover attacks. However, to hack into an account, attackers need a valid username-password combination. This is where credential stuffing comes into the picture.

Credential stuffing is the first step towards an account takeover attack, as it enables fraudsters to create lists of valid login credentials to fuel these attacks. Fraudsters heavily use automation for credential stuffing which makes it simpler, faster, and cheaper to validate dumps of credentials in no time. This clearly explains why there is a spike in credential stuffing attacks in recent times. According to Arkose Lab’s 2021 Fraud and Abuse Report, there were 285 million credential stuffing attacks detected and stopped on the Arkose Labs network in the first six months of the year, with spikes of upwards of 80 million in a single week. What’s more concerning is on average, 5% of all traffic on the Arkose Labs’ network is a credential stuffing attempt. 

Credential stuffing is on the rise as it is not only ridiculously easy to execute but also fetches massive returns that may vary across industries. Probably the worst hit is the financial service sector, where credential stuffing attacks constituted 41% of all attacks on the sector between 2017 and 2020. That is not to suggest that other industries are immune. Gaming platforms are under siege for in-game currencies, abuse of auction houses, and resale of high-worth accounts among other types of abuse. Travel companies are targeted for loyalty points while streaming companies are targeted for resale of subscriptions.

The Industry-first, $1 Million Credential Stuffing Warranty

Businesses cannot afford to continue engaging with the attackers in a cat-and-mouse game, as in addition to financial damage there is a lot at stake for them - brand reputation, customer trust, and revenue. Although many businesses use multiple fraud solutions, the fact that credential stuffing can make up 5% of traffic means accounts are still not fully protected. Plus, there is no commercial assurance from their vendors, which means, the risk of exposure and bearing remediation costs, still remains. 

While there is no silver bullet when it comes to fighting fraud, at Arkose Labs, we have proven time and time again that the right pressure can effectively sabotage attacks and deters fraudsters from returning. This is why we were able to be the first vendor to offer a Credential Stuffing Warranty that offers to cover key incident response costs of up to $1 million. 

Our confidence in fighting credential stuffing stems from two central components of our solution, namely: risk decisioning and proprietary enforcement challenges. We leverage the latest technologies including device forensics, fingerprinting, machine learning, gamification, and so forth to assess the risk associated with every user. Years of proven efficiency in fighting these attacks has provided our insurer with the confidence in our solution to back our solution in offering this one-of-its-kind warranty.

User-centric Fraud Deterrence

Unlike other vendors that rely on traditional bot defenses, rate limiting, or blocking suspicious users, Arkose Labs does not block any user - whether a genuine user or a bad actor. This is one of the key differentiators that sets us apart from the others as we challenge all incoming users to play by our rules. 

Neither do we block threats nor compromise good user throughput. We achieve this by challenging high-risk users with targeted friction through our proprietary 3D puzzles that are rendered according to real-time risk assessment of each user. In most cases, good users may not even see the challenges because of the intelligence and learnings garnered from our network over the years. These insights enable us to allow good users to continue with their digital journey without any disruption to their user experience. 

The progress of bots and scripts is disrupted by these challenges, whereas persistent malicious users are presented with puzzles that keep increasing in volume and complexity. This increases the time, effort, and resources required to execute an attack, making the attack not worthwhile. 

At Arkose Labs, user-centricity is important, and therefore we have put in a lot of effort in language translation, accessibility, interactivity, puzzle designs, and so on, such that our partners operating across the globe and with a wide variety of user demographics can benefit from the most robust protection while maintaining superior user experience they are known for.

A New Gold Standard for Accountability in Fraud Prevention

As part of the warranty, which incidentally does not need our partners to pay anything extra, offers a 48-hour SLA for rapid remediation and access to a 24x7 operation center for support. We stand together with our partners to protect them from any credential stuffing attempts.

In the unlikely event of a successful credential stuffing attack, we will compensate all costs associated with compromised accounts. These include consultation efforts, forensics, customer awareness, employee time or salaries, among others. Furthermore, we have made the claims easier by reimbursing the costs ourselves, instead of routing them through the insurance carrier. This indeed is the gold standard of warranty.

To learn how Arkose Labs is trying to make security more accountable and more transparent with assured protection from credential stuffing attacks, contact us now.