Security

Friday FYI: 9 out of 10 of website login attempts? Yeah, that'll be hackers

Credential stuffing is rampant – so try not to reuse the same password on every site, eh?


Up to 90 per cent of the average online retailer's login traffic is generated by cybercriminals trying their luck with credential stuffing attacks, Shape Security estimated in its latest Credential Spill Report.

The biz crunched the numbers [PDF] on 51 organizations across a range of global sectors that reported having an eye-watering 2.3 billion credentials snatched by miscreants during 2017. That's actually a slightly lower total than the outfit reported in 2016, but still equivalent to an average of 47.5 million credentials per spill.

Organizations featured in the report include high-profile names such as Yahoo! (two billion), Edmodo (77 million), Chinese streaming service Youku (101 million) and Equifax (which affected 145 million personal records yet, surprisingly, only 14,961 logins).

The MO for credential stuffing is simple – attackers try passwords stolen from hacked account databases on lots of other websites in the hope they also work.

In other words if you use the same email address and password for websites A and B, and A is hacked, the crooks will try to use the stolen login data to access your account on website B. It sounds like a long shot but, Shape estimates, it's effective up to three per cent of the time, an excellent rate of return for professional criminals.

Database intrusions are be bad enough, however, the larger damage is compounded by the length of time it takes for victims to report that an attack has been successful. Shape found that this now averages 15 months from the moment a password is snatched to the day the hacking is made public, more than enough time for credential stuffers to try logging into other accounts.

"What most people don't realise is the domino effect of damage that a single breach is capable of producing," said Shape's CTO, Shuman Ghosemajumder.

Time, time, time

The enemy here is delay, he said. If victims were able to alert one another to a breach soon after it occurred, credential stuffing would lose much of its power.

"To fight back, organizations have started banding together to build a collective defense to be alerted when credentials stolen from one breach are being used to log in to another, effectively blocking attackers attempting to access their platforms with compromised credentials."

Almost as extraordinary is that companies can see the credential stuffing traffic from failed logins. For example, while all business sectors face a threat from credential stuffing, some see far more attacks than others.

Based on Shape's own customer analysis, for e-commerce 91 per cent of login traffic was from credential stuffing, while for airlines it was 60 per cent, banking on 58 per cent and hotels 44 per cent.

Either my name, my password or my soul is invalid – but which?

READ MORE

Not surprisingly, losses from credential stuffing fraud are high, reaching $5bn a year in the US alone, as attackers exploit account takeover to buy goods, make in-store payments, or purchase e-gift cards. Personally Identifiable Information (PII) resulting from successful attacks can also be sold on criminal forums.

A deeper question is why, given the weak state of credentials, companies don’t adopt better security? Options here include mandatory use of multi-factor authentication (MFA), better detection of credential stuffing and more data sharing.

More long-terms solutions include WebAuthn, an emerging standard that would abandon traditional credentials completely in favor of physical and biometric authentication mechanisms. The advantage of that would be that there are no credentials to steal.

This might take longer than some realize, note the report's authors: "Companies with high competition are loathe to introduce additional friction into their experience in the form of MFA, lest they lose out on potential revenue." ®

Send us news
67 Comments

Canonical cracks down on crypto cons following Snap Store scam spree

In happier news, Ubuntu Pro extended support now goes up to 12 years

Progress outbids private equity in offer for MariaDB plc

MySQL sibling saga continues as 40-year-old infrastructure software firm enters the fray

INC Ransom claims responsibility for attack on NHS Scotland

Sensitive documents dumped on leak site amid claims of 3 TB of data stolen in total

PostgreSQL pioneer's latest brainchild promises time travel to dodge ransomware

Michael Stonbraker on the neat side effects of putting an operating system on top of a database

Databricks claims its open source foundational LLM outsmarts GPT-3.5

In the AI gold rush, analytics outfit wants to provide the shovels

These 17,000 unpatched Microsoft Exchange servers are a ticking time bomb

One might say this is a wurst case scenario

AI hallucinates software packages and devs download them – even if potentially poisoned with malware

Simply look out for libraries imagined by ML and make them real, with actual malicious code. No wait, don't do that

Execs in Japan busted for winning dev bids then outsourcing to North Koreans

Government issues stern warning over despot money-making scheme

Hyperfluorescent OLEDs promise more efficient displays that won't make you so blue

Novel design might also help reduce those annoying burn-in issues

Standardization could open door to third-party chiplets in AMD designs

Domain-specific accelerators are 'essential to progress' it claims, and a chiplet ecosystem is one way forward

Apple fans deluged with phony password reset requests

Beware support calls offering a fix

NASA gives IXPE observatory the Ctrl-Alt-Del treatment to make it talk sense

Hardware misbehaving in orbit? Time for a reset on the avionics