Akamai, the intelligent edge platform for securing and delivering digital experiences, along with Ponemon Institute, today unveiled results from an APAC-wide study to quantify the potential cost to prevent, detect and remediate credential stuffing attacks. The companies represented in this research estimate that the cost of credential stuffing attacks can range from $284,649 if one percent of all compromised accounts result in monetary loss, to an average of $28.5 million if all compromised accounts result in monetary loss.
The study, titled ‘The Cost of Credential Stuffing: Asia Pacific’ conducted by Ponemon Institute and sponsored by Akamai Technologies, surveyed 538 IT security practitioners familiar with credential stuffing attacks from a range of industries including Financial Services, Retail and e-Commerce, Travel & Hospitality, Media, Entertainment & Gaming, and more. Respondents stated that these attacks cause costly application downtime, loss of customers and involvement of IT security that can result in an average cost of $1.2 million, $1.5 million and $1.1 million annually, respectively.
Credential stuffing usually results from fraudsters purchasing lists of stolen credentials on the dark web, such as user IDs and passwords, and using a botnet to validate those lists against an organization’s login page. The end result is typically an account takeover in which fraudsters then use the stolen validated credentials to commit fraud. The primary goals of these types of crime are generally to make fraudulent purchases, engage in fraudulent financial transactions and steal additional confidential information.
Key findings from the study include:
- Application and organizational challenges o A broader strategy can help mitigate credential stuffing attacks on the cloud: 51 percent of respondents agree that the migration of applications to the cloud increased the risk posed by credential stuffing. As with many aspects of security, an organization’s broader cloud strategy can affect the ability of a security team to secure the growing number of applications (and endpoints supporting different types of clients) across different computing platforms.
- Ability to prevent, detect and remediate credential stuffing o Organisations are struggling to respond to credential stuffing attacks: 41 percent of respondents say they do not have good visibility into credential stuffing attacks. 37 percent of respondents do not believe that credential stuffing attacks against their websites are quickly detected and remediated.
- Quantifying credential stuffing attacks o Attacks impact large numbers of user accounts: Respondents reported that an average of 954 user accounts are typically targeted in each credential stuffing attack.
- Consequences and cost of credential stuffing o Organizations do not budget enough to address the problem: Only 37 percent of respondents agree that their companies’ security budgets are sufficient for preventing and/or containing credential stuffing attacks. 20 percent of respondents are unsure, while 43 percent either disagree or strongly disagree.
o The 2016 Yahoo breaches are examples of how serious the threat of credential stuffing is. The Yahoo breaches involved a total of 1.5 billion credentials spilled to the Internet, protected by the weak MD5 hashing algorithm. The thefts took place in 2012 and 2013 giving the criminals up to four years to crack weak protection.
The sampling frame for the ‘The Cost of Credential Stuffing: Asia Pacific’ study composed of 15,365 IT security practitioners who are familiar with credential stuffing attacks and are responsible for the security of their companies’ websites. A total of 591 respondents completed the survey out of which 53 surveys were removed by screening and reliability checks. The final sample consisted of 538 surveys.