Upping the ante: stop credential stuffing using attack economics

The popular image of a fraudster that is generally conjured up in the mind is one of a shadowy, hooded figure sitting in a darkened basement. However, that antiquated notion is far from reality; fraudsters today come from all walks of life and all parts of the world. They get up every day and perform a job, just like you and I. 

Those who choose this line of work are able to make money because of the vast, shadow ecosystem they can tap into, which provides them cheap access to software, tools and -- if needed – low-paid human resources to help carry out attacks. 

And a fundamental function of that ecosystem is to help fraudsters launch credential stuffing attacks. These attacks allow fraudsters to test username and password combinations at massive scale, with the ultimate intention of taking over a real user account. Fraudsters especially target payments and financial accounts with these types of attacks due to how potentially valuable they are, however, this form of attack is common across all industries. 

Credential stuffing attacks are rising in both severity and frequency. They are popular among fraudsters because they are relatively cheap and easy to launch, and come with the promise of great financial reward. In 2020, the number of account takeover attacks detected on the Arkose Labs network rose by 90% by the end of the year (see chart below). Furthermore, nearly two-thirds of the attacks detected on the Arkose Labs Global Network target the login point. 

In addition to directly draining funds from the account itself, fraudsters can also utilize compromised accounts to steal valuable personal data such as social security numbers, home addresses and more. The accounts can also be used as a way to launder money or to finance even further downstream fraud. Even if accounts are protected by two-factor authentication, fraudsters have ways of getting around this, by using tactics such as SIM swaps or phishing attacks to obtain a real customer’s personal information. 

On the flip side, credential stuffing attacks are a financial drain on businesses. In addition to the costs associated with remediating the attack itself, there are numerous burdens placed on operational efficiency as well as quantifiable and unquantifiable downstream costs. 

Direct losses include the immediate costs related to remediating and restoring user accounts and, if applicable, restoring any funds that were stolen from the attack. Operational costs include factors like an increased number of calls to contact centres, increased burdens on compliance and legal teams and more manual reviews and implementation of more security protocols. In fact, larger companies can spend upwards of USD 2 million per year in call centre costs helping companies reset passwords.

Then there is the impact on user experience. Customers whose accounts have been compromised will not blame the fraudsters – they will blame the business whose job it was to keep those accounts secure. This means customers will flood call centres with complaints, and many may even go on social media and air their frustrations. This can create a negative brand reputation if these complaints are amplified, and could lead to an erosion of trust among a businesses’ customer base. In fact, in a poll of 100 IT executives commissioned by Arkose Labs, 60% said ATO attacks negatively impacted their company’s brand reputation, and 90% reported that such attacks hindered the user experience. For financial and payment firms, which operate in a highly regulated industry, if a large-scale attack leads to many breached accounts, it could also mean onerous legal and compliance issues as well. 

As noted, fraudsters will continue to launch credential stuffing attacks because it pays. Fraudsters are like anyone else: they get up each morning and perform a job to make money. If they can’t make money doing it, they will do something else. 

That’s why the most effective way to stop credential stuffing attacks is to make them uneconomical for fraudsters. To do this, a business must almost think like a fraudster, in a manner of speaking. Work backwards to figure out how they get money out of your platform and how to make that more difficult.

Force attackers to up the ante required to carry out credential stuffing, by undermining their ability to attack while keeping costs low. For example, putting additional pressure on traffic originating from old devices and cheap proxies, and using interactive secondary screening to definitively root out bots and automated scripts. 

Businesses need to make a robust effort to stop credential stuffing attacks. Doing so will not only safeguard their revenue streams but also maintain customer trust and loyalty. 

About Kevin Gosschalk 

Kevin Gosschalk is the Founder and CEO of Arkose Labs. Since launching the company in 2017, he has been instrumental in building a suite of fraud and abuse prevention solutions that deliver long term remediation from attacks by breaking the underlying economics behind online fraud. Under Kevin’s leadership, Arkose Labs has raised more than USD 114 million in venture funding, rapidly scaling its customer base and workforce, transforming the world of digital commerce by working with some of the world’s leading businesses. Kevin has been named CEO of the year by Cyber Defense Magazine and is regarded as an expert in the fraud and risk management industry.

About Arkose Labs

Arkose Labs bankrupts the business model of fraud. Recognized as a 2021 Cyber Defense Magazine ‘Hot Company in Fraud Prevention’, its innovative approach determines true user intent and remediates attacks in real-time. Risk assessments combined with interactive authentication challenges undermine the ROI behind attacks, providing long-term protection while improving good customer throughput. Arkose Labs is based in San Francisco, Calif., with offices in Brisbane, Australia and London, UK. For more information, visit www.arkoselabs.com or on Twitter @ArkoseLabs.