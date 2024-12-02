Logins are the most attacked digital touchpoint today, fueled by high-volume credential stuffing attacks. Fraudsters have sophisticated tools and data to carry out automated attacks at scale, while maintaining low costs. Businesses, on the other hand, continue to make investments in people and technology to keep accounts protected; yet they are still being persistently attacked.

As credential stuffing grows in popularity amongst fraudsters, so too does the need to fully understand this type of cyberattack, as well as the tools needed to mitigate it. With credential stuffing, stolen data like usernames, email addresses, and passwords are used to break into accounts at a high volume using sophisticated tools. These automated attacks are done at scale, keeping costs low and therefore making credential stuffing a profitable venture for fraudsters.

While businesses continue to invest in people and tech for accounts protection, according to Gartner, worldwide spending on information security is projected to reach more than USD 170 billion in 2022, yet credential stuffing still continues unabated. In fact, in H1 of 2021, the Arkose Labs network detected and stopped 285 million credential stuffing attacks – 29% of all fraud attacks – with spikes upwards of 80 million in a single week. To make matters worse, these attacks affect the bottom line, with 46% of businesses reporting that these attacks have led to decreased revenue. On average, credential stuffing attacks cost affected businesses USD 6 million per year.

Among the most attacked sectors are financial services, gaming, and media, but no industry is immune to credential stuffing. The problem is most prominent in online gaming, which accounted for 35% of all attacks in H1 of 2021. Of those attacks, 75% targeted login and registration points.

As the holiday season approaches, businesses must safeguard their customers from cyberattacks

Businesses deserve greater protection, commitment, and partnership from their security vendors to thwart attackers' efforts. This is why Arkose Labs backs their Fraud and Abuse Prevention Platform with the industry’s first warranty against credential stuffing attacks. The warranty offers a commercial guarantee against credential stuffing attacks, covering customers up to USD 1 million in response expenses including legal consultation, forensic services, notification expenses, identity theft, and credit monitoring.

As the holiday season approaches, businesses in all industries must be extra vigilant about protection. In 2020, credential stuffing increased 56% over the holiday season, and this year is expected to be just as bad, if not worse, with an anticipated 8 million attacks per day.

‘The holiday season is the busiest time of year for fraud. Fraudsters know that digital traffic and commerce ramps up significantly, and they plan their attacks accordingly’, said Kevin Gosschalk, CEO of Arkose Labs. ‘Businesses should be planning now to mitigate these attacks that we know are coming in the upcoming weeks and months.’

Arkose Labs takes a three-layered approach to offer the most robust protection against credential stuffing attacks:

Preventing credential stuffing requires an accurate assessment of traffic in real time and segregation of malicious activity from genuine users. Arkose Detect features a powerful decision engine that differentiates genuine customers from malicious bots with more than 99% accuracy. Fraudsters have a wide array of tools available to appear as if they are a genuine customer. They use the latest technology available to mimic legitimate user behaviour and camouflage their malicious intentions. Arkose Enforce features targeted enforcement challenges designed to detect and stop advanced bots that mimic human behaviour. Arkose Labs also features a Managed Services plan with 24x7 SOC protection and proactive monitoring to stay one step ahead of threats. When an incident occurs, clients receive guaranteed priority response and remediation within 48 hours.

It’s important to remember that fraud is a business. By making it more costly to successfully implement an attack and forcing fraudsters to deploy more resources, it will deter them from continuing to attack.

‘The availability of vast amounts of consumer data, advanced and commoditised tools, and even YouTube tutorials make it easy for fraudsters to launch complex account takeover attacks’, Gosschalk explained. ‘However, with the right tools in place, businesses can protect themselves and their customers from the perils of stolen credentials, and they can do so without negatively affecting the customer experience.’

