Up to 90 per cent of the average online retailer's login traffic is generated by cybercriminals trying their luck with credential stuffing attacks, Shape Security estimated in its latest Credential Spill Report.
The biz crunched the numbers [PDF] on 51 organizations across a range of global sectors that reported having an eye-watering 2.3 billion credentials snatched by miscreants during 2017. That's actually a slightly lower total than the outfit reported in 2016, but still equivalent to an average of 47.5 million credentials per spill.
Organizations featured in the report include high-profile names such as Yahoo! (two billion), Edmodo (77 million), Chinese streaming service Youku (101 million) and Equifax (which affected 145 million personal records yet, surprisingly, only 14,961 logins).
The MO for credential stuffing is simple – attackers try passwords stolen from hacked account databases on lots of other websites in the hope they also work.
In other words if you use the same email address and password for websites A and B, and A is hacked, the crooks will try to use the stolen login data to access your account on website B. It sounds like a long shot but, Shape estimates, it's effective up to three per cent of the time, an excellent rate of return for professional criminals.
Database intrusions are be bad enough, however, the larger damage is compounded by the length of time it takes for victims to report that an attack has been successful. Shape found that this now averages 15 months from the moment a password is snatched to the day the hacking is made public, more than enough time for credential stuffers to try logging into other accounts.
"What most people don't realise is the domino effect of damage that a single breach is capable of producing," said Shape's CTO, Shuman Ghosemajumder.
Time, time, time
The enemy here is delay, he said. If victims were able to alert one another to a breach soon after it occurred, credential stuffing would lose much of its power.
"To fight back, organizations have started banding together to build a collective defense to be alerted when credentials stolen from one breach are being used to log in to another, effectively blocking attackers attempting to access their platforms with compromised credentials."
Almost as extraordinary is that companies can see the credential stuffing traffic from failed logins. For example, while all business sectors face a threat from credential stuffing, some see far more attacks than others.
Based on Shape's own customer analysis, for e-commerce 91 per cent of login traffic was from credential stuffing, while for airlines it was 60 per cent, banking on 58 per cent and hotels 44 per cent.
Either my name, my password or my soul is invalid – but which?READ MORE
Not surprisingly, losses from credential stuffing fraud are high, reaching $5bn a year in the US alone, as attackers exploit account takeover to buy goods, make in-store payments, or purchase e-gift cards. Personally Identifiable Information (PII) resulting from successful attacks can also be sold on criminal forums.
A deeper question is why, given the weak state of credentials, companies don’t adopt better security? Options here include mandatory use of multi-factor authentication (MFA), better detection of credential stuffing and more data sharing.
More long-terms solutions include WebAuthn, an emerging standard that would abandon traditional credentials completely in favor of physical and biometric authentication mechanisms. The advantage of that would be that there are no credentials to steal.
This might take longer than some realize, note the report's authors: "Companies with high competition are loathe to introduce additional friction into their experience in the form of MFA, lest they lose out on potential revenue." ®