Make no mistake, criminals are unrelenting in trying to get to sensitive data. In the eight months from November through June, more than 30 billion malicious login attempts were tracked by Akamai Technologies, a Web-services company, in its 2018 State of the Internet report released Wednesday.
In May and June alone, there were 8.3 billion malicious login attempts by bots, which are software designed to run repeated code on their own. They can pull data from a database, in this instance containing millions of valid passwords and usernames, and attempt to get into a consumer online account, without much operator action.
The move, labeled credential stuffing, not only can overwhelm the bandwidth of a site, but tax its security processes as well. “It’s the ability for criminals to obtain a list of user names and passwords and to use a botnet to attack a financial institution with an automated army of bots,” Rich Bolstridge, Akamai chief strategist, tells Digital Transactions News. “They are programmed to repeatedly go through the user names and passwords and look for legitimate accounts they can compromise.” Sometimes the pace of attacks is fast, and in other instances it may be slow, in an attempt to blend in with legitimate actions.
How much of problem is credential stuffing? In the May through June period, 2.82 billion credential-stuffing attacks originated in the United States, followed by 1.55 billion in Russia.
In one example, Akamai recounted a large financial-services company’s experience with more than 8,000 account takeovers per month that came from credential stuffing and that caused more than $100,000 per day in direct fraud-related losses.
There’s a reason the attack is popular, Bolstridge says. “You have to look at the motivation of the criminals,” he says. “What is the return on the investment for criminals to take an action like this?”
Often, it’s sizable, especially because there’s so much consumer data available on the dark Web, and bots are affordable. There is also an underground commerce channel for buying or renting bots, he says. “It’s almost like a gamification of these botnets,” Bolstridge says, referring to the notion of adding game elements like competition and achievement. “So people who don’t have very high technical skills can use them and conduct attacks.”
What compounds the challenge of countering credential stuffing is the need to strike a balance between security and the user experience, he says. “It certainly is possible to make things more secure,” he says, “but at the same time degrade the user experience.”
Consumers are habituated to user names and passwords and requiring more secure protocols could disrupt this habit, observers suggest.
“Certainly, compromises of payment systems are real,” Bolstridge says. “Institutions need to understand there are new challenges. They have to look for and get intelligence and get visibility into this bot problem.”