With the help of leaked password databases, cybercriminals have repeatedly succeeded in taking over user accounts. Highly automated tools are used for this. A single credential stuffing attack can result in thousands of victims. For companies in the online business, account takeovers via credential stuffing by cybercriminals have become a financial business risk. This can reduce sales by up to nine percent, according to a new study carried out by strategy consultants Aberdeen on behalf of Nevis. For the study, Aberdeen focused on ten selected B2C categories in EMEA.
In addition to commercial banks, credit unions, savings institutions, and financial technology, property and casualty insurance were examined for the study. Other industries include consumer electronics, healthcare provider networks, online gambling, telecommunications, and utilities. The study shows how widespread attacks via credential stuffing are currently. Seventy-six percent of those surveyed said that some of their online users had been victims of successful account takeovers in the past 12 months.
Credential Stuffing: Cyber Attacks Hurt Profitability
The investigation also makes clear the dramatic extent of the resulting damage. The costs of successful cyberattacks quickly add up to significant amounts that cannot simply be dismissed as an unavoidable “cost of doing business.” Commercial banks lose 3.4 to 5.28 percent of sales due to credential stuffing. In the fintech sector, it is even between 5.57 and 8.96 percent. Sectors outside of the financial world are also affected to a comparable extent. Loss of sales due to illegal account takeovers from healthcare providers amounts to 4.45 to 5.79 percent. Even in the gambling sector, which is strictly regulated and therefore concerned with security, the losses are between 5.02 and 8.2 percent.
How Cybercriminals Deal With Attacks
Once access to a user account is open, the criminals can exploit it for various purposes. According to the Aberdeen study, fraudulent transactions (39 percent), creating new accounts (34 percent), and erroneously rejecting card payments (34 percent) are the most common. Other typical consequences of account takeovers are chargebacks (18 percent). Also, transferring funds or other fungible assets (11 percent), fraudulent purchases (11 percent), and theft of digital content and services (11 percent). In addition to these direct consequences, there are other indirect consequences. For example, a decline in active users is deterred by increased security measures or migration to competitors.
Aberdeen has also looked into how companies are trying to protect themselves from the increasing number of attacks via credential stuffing: This shows a growing avoidance of both the username-password model and multi-factor authentication solutions. For example, mobile apps for multi-factor authentication are currently used in 42 percent of the companies surveyed – but only 24 percent support a future introduction. On the other hand, the respondents see strong potential for innovation in passwordless approaches, which are both user-friendly and cost-efficient for the providers. At the same time, only 20 percent have implemented passwordless (adaptive, contextual, transparent) practices, and 46 percent plan to do so in the future.
Credential Stuffing Remains Popular With Cybercriminals
Credential stuffing is currently an attractive method for attackers for the following three reasons:
- First, the dark web makes it easy to obtain lists of credentials that have been made public through data breaches or hacks.
- Second, all business relationships based on digital accounts require digital credentials. Unless additional security measures have been taken, they are therefore vulnerable to brute force attacks such as credential stuffing.
- Thirdly, the attacks can easily be automated: The perpetrators do not necessarily need programming knowledge but can rent the required programs on the Darknet according to the software-as-a-service principle.
This lucrative business model is only likely to disappear when most companies switch their user accounts to secure processes such as multi-factor authentication and, in particular, passwordless authentication. The Nevis solution portfolio includes password-free logins that can be operated intuitively and provide optimal protection for user data. Nevis is one of the market leaders for identity and access management in Switzerland and secures over 80 percent of all e-banking transactions.