Credential stuffing is a plague on the entire digital economy. In the first half of 2021, our network detected and stopped 285 million credential stuffing attacks--29% of all total fraud attacks--with spikes upwards of 80 million in a single week. Making matters even worse, these attacks affect the bottom line, with 46% of businesses reporting that these attacks have led to decreased revenue. One estimate pegs the annual average cost of credential stuffing to businesses at $6 million.
In an effort to increase awareness about this increasingly damaging threat that continues to impact businesses around the globe, I am pleased to announce that Arkose Labs today has kicked off the inaugural Credential Stuffing Week, in order to shed light on how this issue is affecting businesses and consumers alike.
What is Credential Stuffing?
Simply put, credential stuffing -- also known as password spraying -- is an attack whereby bots are deployed to constantly try different username/password combinations at scale to compromise legitimate user accounts until a match is found. Due to years of hacks and data breaches exposing this information, fraudsters have a wealth of raw material to draw upon when launching these attacks. Since they use automation to test credentials at a massive scale at little cost to themselves, they only need a small number of these combinations to be correct in order for their attacks to be profitable.
RECOMMENDED RESOURCE
The Full Economic Cost of Credential Stuffing Attacks
Credential stuffing is a prime driver of account takeover attacks. Once accounts are compromised, fraudsters have numerous ways to monetize them, such as by stealing money directly from the account (if it is associated with a financial or payment account), re-selling the comprised credentials on black market forums, using the account to launder stolen money, reselling access to a streaming service to multiple people, using a social media account to spread disinformation or propaganda, and much, much more.
During Credential Stuffing Week and beyond, Arkose Labs is engaging with customers, partners, and journalists to ensure that stopping credential stuffing is part of a company’s ongoing fraud strategy. It’s an issue that I personally and the company as a whole am passionate about.
Long Term Deterrence Against Credential Stuffing
Fraudsters are an innovative and persistent bunch, despite the criminal nature of their work. They constantly change their tactics, upgrade their tools and adapt to overcome new defenses that businesses out up. This is akin to playing whack a mole and leads to mere mitigation, rather than fraud prevention.
Instead, businesses need long-term deterrence against credential stuffing. That’s why Arkose Labs follows the approach of making the attacks financially unsustainable such that it deters the attackers from entirely targeting your business. By increasing the cost of making the attack for the fraudster, Arkose Labs drastically erodes the potential return of their attack, causing attackers to give up and look for the next, easier target.
Arkose Labs Credential Stuffing Warranty
We believe that digital businesses need a true partner in helping to navigate the complex cybercrime ecosystem. This is why I am so proud that Arkose Labs backs its Fraud and Abuse Prevention Platform with the industry’s first warranty against credential stuffing attacks. The warranty offers a commercial guarantee against credential stuffing attacks, covering customers up to $1 million in response expenses including legal consultation, forensic services, notification expenses, identity theft, and credit monitoring.
We look forward to bringing you engaging content and interacting with the media, clients, and prospects all this week on this important issue.