Companies are losing an average of $4 million due to credential stuffing attacks each year, according to new research commissioned by Akamai, the intelligent edge platform for delivering and securing web experiences.

Credential stuffing plays on the likelihood that individuals will use the same username and password across multiple applications, sites and services.

Cybercriminals take stolen account details from one platform and deploy bots to log into vast numbers of others using the same credentials. Once they have gained entry, criminals will abuse an account until its owners become aware, often making fraudulent purchases or stealing confidential information.

The research, carried out by Ponemon Institute, identified that the volume and severity of credential stuffing is increasing, with companies now experiencing an average of 11 credential stuffing attacks every month.

Jay Coley, Senior Director of Security Planning and Strategy at Akamai Technologies said: “We’re used to the idea that lists of stolen user IDs and passwords are being spilled across the dark web.

“But the continued rise in credential stuffing attacks shows that the danger is almost unlimited. Cybercriminals are increasingly using botnets to validate those lists against other organisations’ login pages, widening the impact of a hack.”

Managing credential complexity

Most organisations have a complex credential abuse attack surface. In fact, the research revealed that companies have an average of 26.5 customer-facing websites in production, providing a high number of entry points for bots to break in. This is further complicated by the need for companies to provide login access for different types of clients, including customers on a desktop or laptop (87%), mobile web browsers (65%), third parties (40%) and mobile app users (36%).

Coley continued: “Modern websites are sprawling entities that can comprise hundreds or thousands of web pages and support many different types of clients and traffic. Companies understanding their website architecture and how clients flow from different pages to their login endpoints is essential to successfully mitigating credential stuffing — and keeping costs under control.”

Identifying the imposters

Organisations are struggling to identify the imposters, with the majority (88%) of respondents agreeing it is difficult to tell real employees and customers from criminal intruders.

Coley added: “Companies need bot management tools to monitor their behaviours and distinguish bots from genuine log-in attempts. Instead of standard log-in systems which just check whether a username and password match, they need to look at key-press patterns, mouse movements and even the orientation of a mobile device.

“With the potential cost running into the millions, the urgency to identify and put the breaks on these bots has never been greater.”