Home » Security Bloggers Network » 5 Industries at Risk for Credential Stuffing and ATO

5 Industries at Risk for Credential Stuffing and ATO

by Enzoic on July 2, 2019

All industries are targets for cyber-attacks, but some are more targeted due to the value of the accounts. Five industries in particular are more at-risk for credential stuffing and account takeover (ATO) attacks. Here is why.

With articles coming out daily on new data breaches and leaks, perhaps you heard about the account takeover attacks at Basecamp, Dunkin Donuts, or TurboTax earlier this year. The attacks were invasive and the source of the attack vector is concerning. These incidents were made possible by credential stuffing—an attack methodology that utilizes stolen user names and passwords from one website, then uses them to access other web-based accounts.

This type of attack is difficult to defend against because organizations have a hard time discerning between legitimate customer usage and a bad actor gaining unauthorized access to the account. The main vulnerability is customer reuse of passwords across different accounts. Bad actors find full credentials from the dark web or internet and then will attempt to access an account other sites where the exposed credentials may be valid.

Credential Stuffing & Account Takeover (ATO)

Successful credential stuffing attempts can directly lead to account takeover (ATO) and fraud. Today’s threat landscape features credential stuffing as a primary menace to every business in America:

The rate
of account takeover started to spike in 2017 and has not declined yet. In 2018,
Akamai reported over 30
billion malicious login attempts detected by their services alone.
It is estimated that automated
credential-stuffing attempts makes up 90% of enterprise login traffic in the US.
The recent Verizon Data Breach Incident Report
(DBIR) blamed 29% of all breaches on credential stuffing.

Money, corporate reputation, and customer loyalty are all at risk and many organizations are challenged in thwarting credential stuffing attacks and automated bots because they have to balance it with ease-of-use for legitimate customers and users.

Top 5 Target
Industries

The price tag for ATO amounts to billions of dollars annually. While the success rate of a single login attempt remains low, a network of bots can attempt millions of logins per day and they are successful an estimated 0.5%-3% of the time, depending on the target. Some success in accessing accounts through credential stuffing is inevitable because many users are reusing their passwords across different accounts.

To determine the sectors most at risk of credential stuffing,
follow the money. While gaining access
to sensitive systems or data is one objective, extracting value from directly
from the account is the motivation in roughly 75% of all these attacks.

#1 Retail &
e-Commerce:

In retail and e-commerce, accounts are tied directly to goods and services, so it’s not surprising to find this sector on the top of our ATO threat list. Electronic gift cards also offer a way for bad actors to obtain information, transfer value and spend money rapidly. Because of the value of the accounts, this industry sector faces the highest raw number of malicious attacks, with over 80% of login attempts being suspect.

Eyeglass firm Warby
Parker was one of the
more recent retail victims of credential stuffing. In Japan, a favorite
retailer saw accounts
for 460,000 customers exposed. Mitigating credential stuffing is one of the top priorities
for more online retailers.

#2 Video Streaming Services, Social Media & Entertainment:

The common goal for a cybercriminal in this sector is to gain
unauthorized access and utilize paid streaming services for free. While the
legitimate account owner may be unencumbered, these acts will result in lost
business and additional costs for the provider. Additionally, entertainment and
social media accounts also contain additional data that may be used to steal
identity or can be monetized.

Video sharing service DailyMotion last January confirmed
a credential stuffing attack
to a reporter from ZDNet.com just weeks after Reddit
suffered a similar fate. In all cases, there is some potential for financial
gain plus additional theft of email addresses, passwords, and other
credentials.

The challenge for this industry is that additional security measures at login can create user friction for legitimate users. Additional friction is proven to lower user satisfaction rates and increase user abandonment. Some utilize additional authentication processes, others will force password resets. In May, Spotify implemented a password reset for customers citing suspicious activity exploiting stolen login data. Spotify stated that the music service had not experienced a data breach, but grumbling users were forced to change their passwords and took to social media to complain about the poor user experience.

#3 Financial Services

Financial Services and banking firms control trillions of dollars, so these institutions are a top target for credential stuffing and ATO. Accenture recently reported that credential theft is a pervasive and dangerous threat in particular for financial services.

In August 2018, attackers made
off with $13.5 million in a bank heist by compromising India’s Cosmos
financial systems. The MoneyTaker
hacking group is suspected of stealing millions from banks in the UK,
US, and Russia over the past few years. One US credit union outlined how an automated
credential stuffing targeted them in a single week, wreaking havoc on their
systems. The credit union often sees a spike in traffic at lunchtime which
could sometimes reach 45,000 login attempts over an hour. However, a botnet launched a brute-force
attack which ramped up this rate to 4.2 million attempts over the course of
seven days.

A successful ATO in this sector can yield a significant
payday. According to Akamai’s 2018 State of the Internet (SOIT) analysis, near-constant
attacks cost one
leading financial entity $100,000 per day in fraud losses. Data seekers can
also grab W-2 forms, pension funds, annuities,
payroll data, and direct deposit details that will ultimately unlock other
financial opportunities.

Compromised credentials are a rapidly growing threat to not
only customers, but also financial services enterprise networks, especially if
cybercriminals gain access to the username and password of an employee with
access to IT systems or sensitive data. With this type of access, bad actors
don’t require malware to access the information they want.

#4 Higher Education

Higher education institutions are also a top target because they’re data rich. Their data trove includes lots of financial aid data on students, grants, employee tax records, and other financial objectives. Research data and other intellectual property is among the most sought-after data by attackers and nation state hackers.

In March 2018, over 300 universities worldwide suffered from
a sophisticated and orchestrated cyberattack organized by 9 Iranian hackers.
According to the official reports, 31 terabytes of “valuable intellectual
property and data” was exposed.

To compound the issue, students often lack the experience and judgement to detect phishing schemes. To accommodate the student, staff and researcher needs, most universities and colleges rely on relatively accessible systems. This creates a challenge at many higher education institutions; balancing security with easy access for legitimate users. Most education institutions do not have large IT budgets and they often lack an IT resources to implement new safeguards. The risks faced by the higher education sector are unique but there are cost-effective tools that can specifically help this sector in particular.

#5 Healthcare Organizations

The Healthcare sector is constantly under attack for credential stuffing and ATO, especially with increasingly connected medical devices. For example, Sutter Health, which serves over 3 million patients, deals with countless cyberattacks daily. It was hit with around 87 billion cyberthreats in 2018 alone. Attacks on healthcare organizations are increasing every year.

It’s not just billing data that hackers seek from the
healthcare sector. Medical records on individual patients often bring top
dollar on Dark Web
marketplaces. The data can trigger identity theft, credit card fraud, and much
more. Stolen health insurance details can also be used to obtain free medical
or dental care.

Like some of the other industries, there is a tension
between healthcare cybersecurity experts who want to secure systems and stakeholders
whose priorities are patient care. It’s key for doctors and medical staff to
understand the importance of cybersecurity, but it can be a hard sell for busy
clinicians.

Other Segments at Risk

While not a top target in terms of cash jackpots, small businesses often face risks for credential stuffing and ATO that are out of proportion with their size. Small businesses often have smaller IT budgets and staff, so they are often less focused on security. Entrepreneurs may take solace in the belief that they’re too tiny to target. That is a false narrative.

Verizon’s most recent DBIR documented that 43% of all data breaches last year targeted this sector. And just like more extensive operations, small firms are reluctant to create a cumbersome online login process for their users. For online merchants, fear of creating friction in the shopping process leads to fear that shoppers will follow the easy path and move to a competitor. Often, this accounts for the lack of proactive measures employed.

Travel and loyalty plans can also attract hackers who seek
free goods. Numerous credit card and other loyalty programs offer gift cards in
exchange for points. Airlines mileage plans are another target for credential
stuffing. Even online pizza companies can fall victim to credential stuffing
and send loyal customers’ rewards to a hungry intruder.

The Costs of Credential Stuffing and ATO

Estimates vary, but they all agree that credential stuffing costs US businesses billions of dollars annually. Between 80 and 90 percent of an online retailer’s web traffic is made up of credential stuffing attacks and is costing the U.S. banking industry $50 million on a daily basis. In addition to large financial losses, you risk losing loyal customers. An organization’s reputation is hard to value in terms of dollars when it comes to account takeover or a data breach, but it also needs to be carefully considered.

It is difficult to overstate the value of screening for compromised credentials. Credential reuse is a nightmare for any enterprise—one that is likely to grow worse as long as consumers insist on reusing passwords and the average number of accounts created by user increases every year.

Recently, the National Institute for Standards and Testing (NIST) adopted guidelines suggesting that all organizations screen their login process for compromised credentials. If done seamlessly, screening can practically eliminate the friction that users feel with 2FA and the false positives/negatives associated with risk-based authentication.

It’s time for proactive measures.

Is your business interested in bettering the user experience while increasing security during login seamlessly? If yes, you should be considering compromised credential screening. For more information, visit: https://www.enzoic.com/account-takeover-prevention/

The post 5 Industries at Risk for Credential Stuffing and ATO appeared first on Enzoic.