Cybersecurity threats are becoming more prevalent each year, and business owners need to focus on protecting their companies and upgrading their defenses. Companies that use the internet to do business are especially at risk for credential stuffing, a tactic wherein botnets attempt to use fraudulent login data to access information. According to Akamai’s State of the Internet 2018 report, 8.3 billion malicious login attempts were identified in the months of May and June alone.
On e-commerce websites, more than 90 percent of the global login traffic results from credential stuffing attacks. Other industries such as air transportation and consumer finance are experiencing a similar effect, with criminal activity accounting for about 60 percent of login attempts.
Despite the widespread practice of credential stuffing, the majority of companies don’t address botnet attacks until they’ve already happened. By then, it’s too late. As many as 3 percent of attacks in e-commerce slip through defenses, at a cost of about $6 billion annually. In banking, the cost of this fraud amounts to about $1.7 billion each year. Many industries are seeing the costs rise as credential stuffing becomes more lucrative for cybercriminals.
The Concept of Credential Stuffing
So what makes credential stuffing a worthwhile cyberattack? It’s that 70 percent of people use the same password for at least some of their online logins. When you hear about data breaches at major companies — up to 75 percent of retailers have been breached — the attackers gain access to users’ login information. The dark web is a common place for this data to end up. Reused stolen information is also common.
Then it’s a simple matter of plugging the account information into software (botnet) that slams against every known website and app on the internet. Snipr is one example of this. With enough data, it’s only a matter of time before hackers match the right combination of login info and website portal, allowing them entry into the backends or personal accounts on websites.
On e-commerce websites, bad actors can use this information to make fraudulent purchases or steal even more information. Even small businesses without an e-commerce component typically allow remote access for employees working remotely. If the login credentials of employees match the ones obtained by hackers, they have access to the entire network. Stolen data is common in this situation. A perpetuated cycle is the result. According to Shape Security’s 2018 Credential Spill Report, the prior year saw more than 2.3 billion credentials compromised from 51 organizations.
The Costs of Credential Stuffing
Victims of credential stuffing attacks face severe consequences. Some of these costs are financial, such as the $6 billion cost to the e-commerce sector previously mentioned. Other costs are less tangible but no less important.
Almost all businesses store some amount of personally identifiable information on employees or customers, and these companies are legally obligated to protect this information. When it leaks, governments and regulatory bodies can and will levy stiff fines that are imposed on a per-record basis. The fine amount depends on the severity of the attack and the number of records stolen. However, these financial burdens can add up and devastate businesses of all sizes. Ignorance of the threat is no defense.
In addition to fines and legal fees, companies face increased operational costs such as investigations, remediations, and customer care. One comprehensive report suggests each company could face yearly costs ranging between half a million dollars and upwards of $54 million, depending on the scope of the attack. Even when repeated login attempts aren’t valid, they’re not good for business; a flood of logins clogs up your bandwidth, causing lag times and user experience issues that result in lost sales.
Then there’s another consequence: customer loss. According to research from PwC, only 25 percent of consumers trust companies to do a good job of handling their personal data. Further, an overwhelming 87 percent of respondents indicated that they will stop doing business with a company if they don’t trust that organization with their sensitive information. A report from Akamai and the Poneman Institute suggests customer churn caused by credential stuffing attacks costs $2.7 million on average.
The Cure for Credential Stuffing
The cybersecurity world has turned its spotlight on credential stuffing recently, but many companies are already behind in defenses: Only 30 percent of companies report having sufficient solutions and technologies to prevent credential stuffing attacks, according to the Akamai/Poneman Institute report. Complicating matters is the inherent fight between customer experience and necessary defense protocols. Web teams argue that security needs can cause issues or slowdowns or can decrease the value of the user experience on websites, a conundrum that frequently results in compromising on either side.
But security is getting better and better at fighting against cyberattacks such as credential stuffing with minimal tradeoffs. In the long run, protecting your company from cyberattacks is a worthwhile investment. To protect against attacks, implement these four ideas.
1. Fight the Flood With Firewalls
The best way to protect yourself is with a solid firewall and a responsive security process. These tools will identify malicious traffic and block the source IP address, shutting down the attack from the source. This is particularly effective against credential stuffing because the massive attacks will come from single sources. Ideally, you won’t have to wait to process a spike in login activity after the fact. In a perfect world, your firewall should handle the threat in real time.
When you consider that a firewall frees up your bandwidth and allows it to once again be used productively, the $3,000 to $4,000 price tag turns out to be a decent investment.
2. Embrace Two-Factor Authentication
While a firewall protects you from the traffic itself, two-factor authentication protects you from someone breaking through with the lucky combination. In an Equifax break, for example, imagine the steal an employee’s information. Let’s say that employee used the same credentials to access your network remotely. Without two-factor authentication, hackers now have access to your company’s network.
Two-factor authentication is great protection because the second access code isn’t stored in a database. Valid for 60 seconds, they send a password to your phone for you to use. Two-factor authentication essentially downgrades credential stuffing attacks to distributed denial of service threats, meaning the attacks can still bring down a network through sheer traffic volume, but they can’t penetrate that network’s defenses.
3. Vote for VPNs
Almost all businesses allow remote access, which means their networks are vulnerable to external penetration attacks. The situation becomes even direr when you consider that employees are not always logging in from secure networks. Instead, they might be working from coffee shops, airports, and other hacker heavens with free public WiFi.
Requiring employees to log in to a virtual private network, or VPN, insulates them from the threat of hackers. A VPN allows for a secure network connection even on unsecured networks. Thus, employees can safely use their credentials to access the company network from wherever they are. VPNs also use encryption, so even if criminals gain access to transmitted data, they can’t use it.
4. Educate Your Employees
It’s important to communicate best practices to employees. Employees shouldn’t be using replicated passwords on company networks — period. Some people might justify the risk by thinking that they’ll simply change their passwords when they hear of a data breach, but it takes an average of 15 months from the day data is stolen to the time a company discovers and reports the intrusion. That’s more than enough time for hackers to squeeze every last bit of use out of stolen login credentials.
Expect some pushback from folks who don’t want to be inconvenienced. If we’re being realy, that means realistically, members of your C-suite. The thing is, it’ll be more inconvenient when the company goes out of business; or is bankrupt by astronomical fines due to a data breach.
As a small business owner, it’s easy to minimize the risks you face and feel like you probably don’t have the resources or sensitive information that place you at the top of the hit list. But small businesses with limited IT resources are easy targets. The tools that allow hackers to exploit you for their own gain are readily available. As credential stuffing becomes increasingly prevalent, make sure your company is protected and responsive.