Posted On: March 26, 2019
Credential stuffing is a type of cyber-attack where hackers take combinations of usernames and passwords leaked from other sites and use them to gain access to accounts on another site. F5 states that there’s typically a 1 to 2 percent success rate, which means that if a cybercriminal purchases 1 million stolen credential records (for sale on the dark web for fractions of a cent each), they can generally gain access to 10,000 to 20,000 accounts.
In a recent Ponemon Institute survey, respondents cited that these attacks cause costly application downtime, loss of customers and involvement of IT security that can result in an average cost of $1.7 million, $2.7 million and $1.6 million annually, respectively.
In addition, the companies represented in this research estimate that the monetary cost of fraud due to credential stuffing attacks can range from an average of more than $500,000 if 1 percent of all compromised accounts result in monetary loss to more than $54 million if 100 percent of all compromised accounts result in monetary loss.
Password reuse. According to Keeper Security, as many as 87 percent of people reuse the same password across multiple accounts. And while they may not share passwords with others, they use them across multiple websites, making it easy for cyber-criminals to break into the various accounts with the same password. In addition, Ponemon also states that companies are vulnerable to credential stuffing attacks because:
How Can Companies Prevent/Mitigate Credential Stuffing Attacks?
Companies who wish to prevent credential stuffing attack must take a layered security approach.
A robust web application firewall (WAF) is the first line of defense against credential stuffing attacks. A WAF can provide advanced bot detection and prevention. By analyzing behavior, such as IP location, time of day, and connection attempts per second, a WAF can help you identify non-browser login attempts.
Multi-Factor Authentication works to thwart credential stuffing by requiring additional information or credentials from the user to gain access to corporate data. MFA doesn’t stop all types of attacks, and it doesn’t guarantee security, but it does add additional layers of authentication that make cyberattacks more difficult.
Empower your users with some password management best practices. According to F5, the most significant takeaway for your employees is that no one should ever use network login credentials on any third-party site, because if that site is compromised, then cybercriminals will have access to your corporate network and any applications within.
OneNeck’s offers extensive cybersecurity expertise. We identify the gaps and provide remediation guidance, and a roadmap to face the future with confidence. In today's accelerated world, you need a partner that helps keep you safe — so you can stop wondering if everything's alright.
Hybrid IT infrastructure that combines on-premises and public cloud capabilities is a strategy many enterprises are embracing. Download Now
Why is it important for organizations to embrace digital transformation? Just ask anyone that once worked for Blockbuster. It’s not that we quit... Continue Reading