Skip to content

Shape Security Blog

Highlighting breaking news, events, and analyst commentary on cyber security from around the world

  • LinkedIn
  • Twitter
  • LinkedIn
  • Twitter

How Much Does Credential Stuffing Cost Your Business?

Eight years ago, there wasn’t even a term for the practice of testing consumers’ stolen credentials against multiple e-commerce sites to see if they’ll enable account takeovers (ATOs) and other forms of fraud. Now, the US consumer banking industry alone faces nearly $50 million per day in potential losses due to credential stuffing attacks, while online retail is experiencing losses of about $6 billion per year.

While these numbers are certainly disturbing, many readers will be asking themselves, “What does this mean for my company?” Our new Credential Stuffing Calculator can help answer that question.

Our calculator was developed based on the results of our recently released 2018 Credential Spill Report. This report includes comprehensive statistics on the sources, targets, internal workings and, most importantly for the calculator, financial consequences of credential stuffing.

The calculator provides an estimate of the financial risk for any company doing business with customers via a website or mobile APIs, based on the following variables:

  1. Total daily login attempts
  2. Percentage of logins that are credential stuffing attacks
  3. Percentage of those attacks that result in an ATO
  4. Percentage of ATOs that result in financial loss
  5. Average dollar loss per ATO
  6. Other costs per ATO. These may include fees, consultants, investigations, financial penalties and negative impact on the brand.

Automated for Convenience

Obviously, most companies that aren’t customers of Shape Security won’t know what numbers to enter in the calculator’s fields for variables 2 through 5. Even companies that have implemented IP blocks or other “I am not a robot” technologies can’t be sure about these numbers because today’s most sophisticated (and most successful) attackers use technology that can easily defeat traditional security measures.

For this reason, our Credential Stuffing Calculator automatically fills in these variables for the four most frequently attacked industry sectors: consumer banking, retail (e-commerce), airlines and hotel chains, based on industry data we’ve gathered and analyzed in the course of protecting literally billions of accounts. (Some users will probably be shocked at the percentage of logins in their industry that are both automated and hostile.)

In addition to the automatic fill-in feature, variables 2 through 5 can also be manually adjusted. This allows users to calculate upper and lower limits to the estimated risk, i.e. worst case and best case scenarios. This also enables users outside of the four target industries to enter values that seem appropriate.

Variable 6, Other costs per ATO, is a somewhat softer number, but these costs are often very high. For example, according to one study, a third of the companies that experienced a major data breach in 2016 lost 20 percent of their customers. Beyond damage to a brand’s reputation, there are fines, notification costs and remediation costs for IT systems that also come into play.

Evaluating the Result

The Credential Stuffing Calculator lets companies quantify their risk, based on statistical averages calculated from actual industry data, and gives them a ballpark number to help them decide how much they should consider spending to protect themselves (and their customers) against credential stuffing. The 2018 Credential Spill Report provides even more information to help companies understand the precise nature of the threat facing them.

Credential stuffing is a relatively new problem, and it’s serious. Understanding how it works and quantifying its consequences are critical steps for companies that want to fight back.

Try the Credential Stuffing Calculator now.

Share this:

  • Twitter
  • Facebook

Like this:

Like Loading...

Author: Shape Security

Shape Security defends Global 2000 corporations from increasingly sophisticated automated cyber-attacks, including large-scale account takeover, credential stuffing, content scraping and content aggregation attacks on web and mobile applications. Shape has deflected over $1B in fraud losses for major retailers, financial institutions, airlines, and government agencies. Shape Security is headquartered in Silicon Valley and backed by Kleiner Perkins Caufield & Byers, Norwest Venture Partners, Venrock, Baseline Ventures, Google Ventures, and other prominent investors. Read our blog to get insights. View all posts by Shape Security

Author Shape SecurityPosted on August 21, 2018December 21, 2018Categories Credential Stuffing, Threat LabTags account takeover, automated attacks, credential stuffing

Post navigation

Previous Previous post: Shape Security Customer Summit
Next Next post: Intercepting and Modifying responses with Chrome via the Devtools Protocol

Most Popular Posts

  • Intercepting and Modifying responses with Chrome via the Devtools Protocol
  • How Cybercriminals Bypass CAPTCHA
  • Reverse Engineering JS by example
  • Detecting PhantomJS Based Visitors

Categories

  • Events (8)
    • 2015 (5)
    • 2016 (1)
    • 2018 (2)
  • Products (6)
    • Blackfish (3)
    • Shape Enterprise Defense (3)
  • Shape Buzz (4)
  • Shape Engineering (20)
    • Attacks (4)
    • Browsers (4)
    • Open-source (9)
    • Reverse engineering (2)
  • Shape Perspectives (23)
    • Best Practices (5)
    • Security Trends (19)
  • Threat Lab (14)
    • Credential Spill (2)
    • Credential Stuffing (6)
    • Shape Network (6)

Archives

  • LinkedIn
  • Twitter
  • LinkedIn
  • Twitter
Shape Security Blog
%d bloggers like this: