Australia’s top companies should consider website and network penetration testing to determine their vulnerability to credential stuffing, following cybersecurity reports that most of them are unable to detect this threat.
Credential stuffing happens when hackers steal log-in usernames and passwords, and use the information until they find out if the log-in details work for certain websites. Based on an analysis of 250 most popular websites, around 86% can’t distinguish the difference between a bot attack and a real person who logs in on the website. Researchers used a regular browser, a script with a curl or Node.js, and online automation tool Selenium to load each site’s log-in page.
An Emerging Cybersecurity Threat
Most of the vulnerable websites include those from the airline, financial, property and online retail websites. In fact, almost 30 billion cases of credential stuffing took place worldwide in 2018. Australia landed among the most at-risk countries with only the United States, India, Canada, and Germany being more vulnerable.
Cybersecurity experts believe that credential abuse attacks have become popular in recent years because it’s more difficult for hackers to be identified, aside from the significant return on investment. One way for companies to avoid data breach from the inside requires them to impose simple measures, such as requiring employees to use different log-in details and mandatory updating of this information every few months.
However, similar preventive measures are more difficult to implement for a consumer-facing website. While some companies encourage clients to update and use a unique log-in for all their accounts, some people still use the same usernames and passwords.
Whether or not your website caters to consumers, anti-credential stuffing is important to protect your reputation and brand integrity. An example of this involved the recent data breach that affected an online tax service in February. The company attributed the compromised data for some of its customers to credential stuffing, but public feedback remained negative.
Most people are still not well-versed on how informational security works and unfortunately, they often pass on this responsibility to a brand, product or service provider. Your business could take a hit once clients associate your brand with a weak cybersecurity strategy.
Hence, preventive measures serve as the best option. If you can’t afford to hire an in-house IT group, then you should consider outsourcing this from a reputable third party. Software and IT as a service are some of the available options especially for small businesses that only require certain technologies on an occasional basis. You could then complement this with raising awareness on basic cybersecurity among your clients.
Credential stuffing affects any type of industry since hackers will pounce at every opportunity, although the music and digital entertainment sectors are more at risk. Even if you use the latest cybersecurity strategy, it’s better to find out your vulnerability on your own through ethical network penetration testing. This allows you to see the problematic areas in your website, which is important especially if you are a customer service-oriented business.