Credential Stuffing Costs Firms $4m Each Year
Credential stuffing attacks are costing EMEA businesses on average $4m each year, according to new research from Akamai.
The content delivery firm commissioned the Ponemon Institute to interview 544 IT security professionals in the region who are familiar with these attacks on their organization.
It found that companies are experiencing an average of 11 credential stuffing attempts each month, with each attack targeting 1041 user accounts.
Akamai calculated the $4m cost based on the financial impact of these attacks on application downtime ($1.2m), loss of customers ($1.6m), and the extra involvement of IT security ($1.2m) as well as the cost of follow-on fraud.
Complexity appears to be hampering efforts to contain credential stuffing. Surveyed companies had an average of 26.5 operational customer-facing websites for cyber-criminals to target via automated bot attacks.
Even more account takeover opportunities are presented by multiple log-in types across desktops, mobile web browsers, third-parties and mobile app users, it claimed.
Only a third (35%) said that they have good visibility into such attacks, while around the same number (36%) claimed they are able to quickly detect and remediate.
An overwhelming number of respondents (88%) agreed it’s difficult to differentiate real employees from imposters.
“Modern websites are sprawling entities that can comprise hundreds or thousands of web pages and support many different types of clients and traffic. Companies understanding their website architecture and how clients flow from different pages to their login endpoints is essential to successfully mitigating credential stuffing attacks — and keeping costs under control,” argued Akamai senior director, Jay Coley.
“Companies need bot management tools to monitor their behaviors and distinguish bots from genuine log-in attempts. Instead of standard log-in systems which just check whether a username and password match, they need to look at key-press patterns, mouse movements and even the orientation of a mobile device.”
Source: Information Security Magazine