Okta’s global State of Secure Identity Report has found that credential stuffing is the top threat against customer accounts, outpacing legitimate login traffic in some countries. The report presents trends, examples and observations unearthed from the billions of authentications on Okta’s Auth0 platform.
Credential stuffing is when attacks take advantage of the practice of password reuse. It begins with a stolen login or password pair, then threat actors use these credentials across other common sites, using automated tooling used to “stuff” credential pairs into login forms. When an account holder reuses the same (or similar) passwords on multiple sites, it creates a domino effect in which a single credential pair can be used to breach multiple applications.
Across all industries globally, Okta found there were almost 10 billion credential stuffing attempts in the first 90 days of 2022, which amounts to 34% of authentication traffic.
Retail is the top industry for credential stuffing with 80% of login attempts
Globally, retail customers are prime credential stuffing targets, as attackers seek loyalty points, limited-edition merchandise, or to sell the accounts. While most industries experienced a credential stuffing rate of less than 10% of login events, the retail/eCommerce industry saw a rate of 80%. In comparison, financial services and entertainment also both saw credential stuffing account for more than 50% of login activity. By contrast, during the same period last year, no vertical experienced a credential stuffing rate higher than 50% (and only three exceeded even 20%).
In the UK and Germany, there is evidence of ongoing, low-level credential stuffing punctuated by larger-scale attacks. In the Netherlands, normal login activity accounts for the majority of activity (70%), and the share of login events attributable to malicious activity is the lowest of the geographies. Credential stuffing attacks in this market account for only 3% of login events, trailing even Multi-Factor Authentication (MFA) bypass attacks (5%).
Threat actors also targeting MFA systems
The first half of 2022 has seen a higher baseline of MFA bypass attempts than any previous year on the Auth0 platform, amounting to nearly 113 million events. One major MFA attack occurred in the lead-up to a holiday weekend in a few European countries and targeted exactly 50 phone numbers, each of which received over 100 SMS MFA codes between 31st January 2022 and 24th February 2022.
Threat actors are focusing their attacks on four key verticals globally:
- Staffing/Recruiting (4.5%, up from 1.6% a year ago)
- Public Sector (4%, up from 2.8%)
- Retail/eCommerce (3.7%, up from 2.8%)
- Financial Services (3.9%, up from 2.9%)
Fraudulent registrations and bot manipulation continues to surge
The number of fraudulent registrations vary by industry vertical. Globally, nearly a quarter of all attempts to register a new account can be attributed to bots – up from 15% in 2021. Energy and utilities, as well as financial services companies, experienced the highest proportion of signup attacks, with such threats accounting for 64.8% and 72.5% of registration attempts respectively. Bots are responsible for more than one-third (37.4%) of attempts to register a new account with a media brand.
“It’s critical that we raise awareness of rising threats to customer identity, such as credential stuffing, signup and MFA bypass attacks, and the techniques that can be layered to build reliable defences,” comments Joe Diamond, VP of Product Strategy, EMEA at Okta. “Regardless of industry, we are only seeing these risks increase, making an identity-centric approach to cybersecurity crucial to protecting data. Customer Identity Access Management (CIAM) exists at the vanguard of identity security and customer experience. Good CIAM should ensure that consumers are who they say they are, evaluate behavioural patterns, and increase friction when there’s high risk – protecting both the business, the user and optimising their experience.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.