Voice of the Industry

Mitigating credential stuffing must be a top priority for businesses

Wednesday 20 October 2021 08:56 CET | Editor: Simona Negru | Voice of the industry

Kevin Gosschalk, CEO at Arkose Labs, believes that businesses deserve greater protection, commitment, and partnership from their security vendors to thwart attackers' efforts, which is especially essential during the holiday season
Logins are the most attacked digital touchpoint today, fueled by high-volume credential stuffing attacks. Fraudsters have sophisticated tools and data to carry out automated attacks at scale, while maintaining low costs. Businesses, on the other hand, continue to make investments in people and technology to keep accounts protected; yet they are still being persistently attacked. 

As credential stuffing grows in popularity amongst fraudsters, so too does the need to fully understand this type of cyberattack, as well as the tools needed to mitigate it. With credential stuffing, stolen data like usernames, email addresses, and passwords are used to break into accounts at a high volume using sophisticated tools. These automated attacks are done at scale, keeping costs low and therefore making credential stuffing a profitable venture for fraudsters.

While businesses continue to invest in people and tech for accounts protection, according to Gartner, worldwide spending on information security is projected to reach more than USD 170 billion in 2022, yet credential stuffing still continues unabated. In fact, in H1 of 2021, the Arkose Labs network detected and stopped 285 million credential stuffing attacks – 29% of all fraud attacks – with spikes upwards of 80 million in a single week. To make matters worse, these attacks affect the bottom line, with 46% of businesses reporting that these attacks have led to decreased revenue. On average, credential stuffing attacks cost affected businesses USD 6 million per year.

Among the most attacked sectors are financial services, gaming, and media, but no industry is immune to credential stuffing. The problem is most prominent in online gaming, which accounted for 35% of all attacks in H1 of 2021. Of those attacks, 75% targeted login and registration points.

As the holiday season approaches, businesses must safeguard their customers from cyberattacks

Businesses deserve greater protection, commitment, and partnership from their security vendors to thwart attackers' efforts. This is why Arkose Labs backs their Fraud and Abuse Prevention Platform with the industry’s first warranty against credential stuffing attacks. The warranty offers a commercial guarantee against credential stuffing attacks, covering customers up to USD 1 million in response expenses including legal consultation, forensic services, notification expenses, identity theft, and credit monitoring.

As the holiday season approaches, businesses in all industries must be extra vigilant about protection. In 2020, credential stuffing increased 56% over the holiday season, and this year is expected to be just as bad, if not worse, with an anticipated 8 million attacks per day.

‘The holiday season is the busiest time of year for fraud. Fraudsters know that digital traffic and commerce ramps up significantly, and they plan their attacks accordingly’, said Kevin Gosschalk, CEO of Arkose Labs. ‘Businesses should be planning now to mitigate these attacks that we know are coming in the upcoming weeks and months.’ 

Arkose Labs takes a three-layered approach to offer the most robust protection against credential stuffing attacks:

  1. Preventing credential stuffing requires an accurate assessment of traffic in real time and segregation of malicious activity from genuine users. Arkose Detect features a powerful decision engine that differentiates genuine customers from malicious bots with more than 99% accuracy.

  2. Fraudsters have a wide array of tools available to appear as if they are a genuine customer. They use the latest technology available to mimic legitimate user behaviour and camouflage their malicious intentions. Arkose Enforce features targeted enforcement challenges designed to detect and stop advanced bots that mimic human behaviour.

  3. Arkose Labs also features a Managed Services plan with 24x7 SOC protection and proactive monitoring to stay one step ahead of threats. When an incident occurs, clients receive guaranteed priority response and remediation within 48 hours. 

It’s important to remember that fraud is a business. By making it more costly to successfully implement an attack and forcing fraudsters to deploy more resources, it will deter them from continuing to attack. 

‘The availability of vast amounts of consumer data, advanced and commoditised tools, and even YouTube tutorials make it easy for fraudsters to launch complex account takeover attacks’, Gosschalk explained. ‘However, with the right tools in place, businesses can protect themselves and their customers from the perils of stolen credentials, and they can do so without negatively affecting the customer experience.’

About Kevin Gosschalk

Kevin Gosschalk is the Founder and CEO of Arkose Labs. Since launching the company in 2016, he has been instrumental in building a suite of fraud and abuse prevention solutions that deliver long term remediation from attacks by breaking the underlying economics behind online fraud.



About Arkose Labs

Arkose Labs analyses traffic against telltale signs of malicious intent to distinguish automated and human attackers from good users, providing long-term protection against fraud and abuse by sabotaging attacker’s ROI.  


Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: cybercrime, online fraud, fraud prevention, account takeover
Categories: Securing Transactions | Digital Identity, Security & Online Fraud
Countries: World
This article is part of category

Securing Transactions