Cybercriminals’ use of cross-matching techniques and credential-stuffing bots is creating headaches for CISOs and costing Asia-Pacific organisations up to $28.5 million per year, according to new figures from Akamai that also suggest the average company suffers 12 credential-stuffing attacks each month.
Credential stuffing – when cybercriminals use stolen user credentials to access other services where those users have used the same credentials – had caught “immature” e-commerce brands unawares because their cybersecurity efforts to date have prioritised the protection of payment-card data, Ari Weil, Vice President of Product Marketing, Akamai told CSO Australia.
“These brands have been very mature when it comes to web and mobile performance,” he said, “but they are immature from a security perspective. The only thing they’ve had to worry about in the past have been things like PCI DSS, so they can handle credit-card data.”
That singular focus had left many e-commerce providers open to exploitation by cybercriminals that regularly use bots to pepper sites with stolen credentials until they are allowed onto the site – at which point goods are falsely ordered, or other personal information harvested to fill out ever more-detailed personal profiles that can fuel identity theft or be sold online.
Those profiles become even more valuable than any fraud that may be occasioned by the successful credential stuffing, with detailed personal information facilitating identity theft and other follow-on exploitation.
“Growing awareness of bots, and the impact they can have, has produced a real and immediate realisation of the financial implications of things like credential abuse and account takeover,” Weil said.
Some 81 percent of respondents said they were getting up to 10 credential-stuffing attacks per month, with most attacks (41 percent) targeting between 101 and 500 user accounts at a time.
Fully 71 percent said they had experienced application downtime from large spikes in login traffic, while 65 percent incurred costs to remediate compromised accounts and 54 percent cited lower customer satisfaction. And 38 percent had lost business when customers switched to competitors after being hit by such an attack.
Spot the bots
While e-commerce companies were good at customer experience but bad at security, financial-services organisations were coming from the opposite perspective – great at security, but only now pairing that with a better customer experience.
Healthcare organisations were “the ultimate laggards”, Weil added, noting that organisations in that space had been looking after protected health information (PHI) but “have been doing it in a walled-garden, moats-and-castles approach with on-premises infrastructure and very old legacy systems.”
Many organisations believed there was little value in PHI for attackers, but the reality was that data-hungry cybercriminals and their bots could glean considerable valuable information from PHI.
“There is a lot of very useful data for an attacker to get access to from PHI,” he said. “Email addresses, home addresses, phone numbers and other data
Because the credentials are otherwise legitimate, many businesses find it difficult to detect such activity, much less to shut it down in progress or prevent it entirely.
Fully 86 percent of the Asia-Pacific respondents to recent Ponemon Institute-Akamai Cost of Credential Stuffing report said they found it difficult to differentiate real employees or customers from criminal imposters, while 81 percent agreed that credential stuffing attacks are difficult to detect.
The problem is exacerbated by the diverse population of customer-facing websites in the typical company, with 28 percent of respondents saying their organisation has 11 to 20 such sites and 21 percent running between 21 and 30 sites.
Monitoring each of these simultaneously requires a degree of cybersecurity practice that most companies struggle to achieve – including methods for spotting virtualised bots based on aspects of their operating environment, and techniques for excluding logins based on questionable location information.
Indeed, just 41 percent of respondents said they have good visibility into such attacks – and many believe strategic moves into the cloud had exacerbated the problem by making their data more accessible to cybercriminals.
“The fact people are being forced to move to the cloud is the #1 pain point that CISOs are blaming for being so overloaded and concerned about their skills gap,” Weil said. “The challenges the CISO faces is exponentially greater than it ever was, and the skills gap they perceive is all the more painfully obvious.”
This guidance is crucial given that all businesses with annual revenues of $3m or more must be prepared to report details of any cybersecurity incident that can be identified as an ‘eligible data breach’ to the Office of the Australian Information Commissioner (OAIC) under the terms of the newly enacted Notifiable Data Breaches (NDB) Scheme.