Credential stuffing affects almost every industry. However, it affects some more than others. What makes credential stuffing worse is its ability to take place without companies detecting it. Usually, it is hard for any company without dedicated advanced bot tracking and mitigation measures to detect credential stuffing. This is because the company is unable to differentiate between legitimate customer usage and bad actor access to data and information.
Many customers in different companies across industries continue to reuse the same passwords for multiple platforms. Not to fail to mention that 75 percent of credential stuffing attacks are motivated purely by financial factors with an aim to drain money directly from user accounts. Further, many companies do not care about 2FA authentication, captcha, or other basic techniques to prevent illegal bots leave alone investing in the advanced bots and botnet mitigation methods.
A good number of companies still do not care about the encryption of stored data and data on transit. This eases the work of bad actors. Thus the companies at the greatest risk are those without strong passwords and logins, as well as poor information handling and storage policies. Here are the top industries most affected by credential stuffing.
1. Retail and e-commerce
No surprises here because the target customer accounts are tied to the sale and purchase of commodities and thieves expect them to have money. Needless to say, online customer accounts are the ones targeted in almost all credential stuffing attacks. Criminals target that they can compromise the accounts and drain user funds then withdraw, transfer, or spend it. An example of a successful credential stuffing attack is stealing 460,000 retail customer accounts for the Japanese Warby Parker eye-glass firm.
2. Entertainment Industry
Criminals target user accounts in these industries with the expectation of finding paid video services they can then use for free after unauthorized login. Thieves also target to steal user data to retail it in data markets. A large amount of harvested data of this type can be traded to marketers or other companies for instance for purposes of targeted marketing and selling. Criminals can also use this data to try and log in to retail accounts or email accounts just in case the user has reused passwords for multiple accounts with different platforms. Another motive for launching credential stuffing of this nature is to tamper or hamper company or individual business. In this case, the attacks can be done or funded by competitors.
The use of methods that deter credential theft on social media mainly hampers user experience by forcing users to change their passwords or authenticate their accounts regularly. Hence they keep on abandoning services.
3. Banking and Finance Institutions
Credential stuffing is common in this industry because the industry controls trillions of dollars. Data thieves in this industry target at stealing customer banking information such as those relating to their deposits, transactions, and investments, as well as pension and payrolls. These can be used to open other accounts. Cybercriminals also target stealing employee data and information such as the login username and passwords. They can therefore gain access to sensitive data and IT systems. On gaining access to passwords, the bad actors will not need any malware.
Examples are many in this industry. They include India’s Cosmos credit union case in which the bank lost $13.5 million. Hackers stole the money using a botnet that launched a brute-force attack. A hacking group known as MoneyTaker is suspected to have stolen millions from banks across the U.S., U.K., and Russia.
4. Universities and Colleges
These institutions are a common target for data theft because they are data-rich. This data includes financial aid data and other transactions. Data thieves also target employee tax data and intellectual property data. Unfortunately, students are unable to detect data breaches and most are even unaware of it. Most universities also require using easily accessible systems to improve access by students or to make the systems easily accessible by students. They find that they must balance between ease of use and security for legitimate users.
A good example of credential stuffing crime in this industry is the stealing of data by 9 Iranian hackers from 300 universities in 2018.
5. Health Institutions and Departments
An increase in medical device interconnection is making this industry a high-profile target for data thieves and criminals. These devices are easy to hack in multiples once one is compromised. Some of the information targeted includes billing data. Criminals also target to steal medical records they can then sell on the dark web. They can also use the information to carry out financial data crimes. For instance, they can use it to try to access financial accounts.
For instance, Sutter Health has 3 million customers. It received 87 billion cyber threats in 2018 alone. This means they deal with multiple incidences of cyber threats on a daily basis.
Credential Stuffing Mitigation
In conclusion, it is imperative for every company to implement strict procedures for credential stuffing mitigations. These methods include tougher passwords and login rules. You can require users to use a combination of words, characters, and symbols. This automatically reduces the incidences of reusing passwords on different accounts and platforms.
There are several initiatives that can prevent automated bot login attempts, and this credential stuffing prevention can help even if users are reusing passwords because bots are used to try and login into different platforms once a criminal finds some user and password combination. For instance, they may employ an automated bot login to try and log into Gmail accounts when they compromise Facebook accounts and find user passwords and usernames. The bot will automatically apply the same login information, which means it works for users who had not activated 2FA and reused passwords. Other methods of preventing automated logins include the 2FA authentication methods. Advanced monitoring of accounts and active blocking of bots and botnets is also an effective method. It uses AI technology to analyze the types of bots visiting a website and then blocks those found malicious.