Credential stuffing threatens large enterprises

Credential stuffing – the automated attempt to gain unauthorised access to user accounts with stolen user names and passwords – is becoming increasingly prevalent and it’s already having a significant impact on large enterprises.

As Marriott International, Cathay Pacific, Yahoo and Equifax can testify following on from their own recent data breaches, the threat of hacking on large enterprises only continues to grow.

Between May and December last year Akamai detected 28 billion credential stuffing attempts alone.

Credential stuffing and the threat to large enterprise

Hackers use web automation tools to create large scale attacks on an enterprise using stolen passwords, typically available from a previous data breach and readily available on the dark web. The premise of credential stuffing is increasingly effective due to the commonality of people using the same password across multiple accounts and service providers.

Of course, all employees are also consumers and so a compromised consumer account can often become a compromised employee account – as many people use the same passwords across personal and work accounts.

For large enterprises the surface area that’s threatened by credential stuffing is broad; both due to the sheer number of employees that can be compromised and because large enterprises are a potentially lucrative target for hackers.

IBM research from 2017 calculates the average cost of a data breach to an enterprise at more than $6m – a figure that will be significantly greater for large enterprises. Shape Security estimates the US consumer banking sector alone is facing losses of $50m per day due to credential stuffing.

Another concerning trend for CISOs and CTOs of large organisations is that once access is gained, hackers are careful to maintain a low profile and so are able to go undetected for long periods. Independent research has shown that on average it takes 15 months for businesses to discover a data breach due to a compromised account.

The time to act is now

As the threat of data breach through credential stuffing intensifies, it is imperative that large organisations act now to safeguard their data.

The threat of credential stuffing and its impact on workforce identity being compromised is very real and it is leading to data breaches for large enterprises in the US, Europe, Asia and the Middle East.

The challenge, as Info Security’s Phil Muncaster reports, is for large enterprises to increase security but to achieve it in a frictionless way that doesn’t result in slow, frustrating user access.

A proven way to minimise the threat of credential stuffing is for organisations to adopt multi-factor authentication (MFA).

MFA means any user would need the correct device (such as smart card, USB token or smartphone) as well as a PIN or biometric (such as a fingerprint or face ID) to access their account, without both of the authentication factors being used the account remains inaccessible. Once setup, MFA offers a seamless and secure method for employees to access their workforce accounts – a method of authentication that takes the threat of compromised passwords completely out of the equation.

For large enterprises concerned about the cost or complexity of building a MFA solution for their workforce, we would recommend engaging with a specialist to fully understand what is required for your organisation.

At Intercede we engage with large enterprises and governments at different stages of digital identity maturity and levels of complexity due to the flexibility of our MyID® credential management system (CMS).

MyID makes integration of multiple hardware and software components far simpler for organisations looking to utilise existing infrastructure as part of a digital identity solution. Additionally, MyID software makes the ongoing management of credentials simple for IT teams and MFA seamless for end users.

Interested in finding out more about MyID CMS for workforce digital identity? Contact us now to discuss your requirements further using the form below.