Eight years ago, there wasn’t even a term for the practice of testing consumers’ stolen credentials against multiple e-commerce sites to see if they’ll enable account takeovers (ATOs) and other forms of fraud. Now, the US consumer banking industry alone faces nearly $50 million per day in potential losses due to credential stuffing attacks, while online retail is experiencing losses of about $6 billion per year.
While these numbers are certainly disturbing, many readers will be asking themselves, “What does this mean for my company?” Our new Credential Stuffing Calculator can help answer that question.
Our calculator was developed based on the results of our recently released 2018 Credential Spill Report. This report includes comprehensive statistics on the sources, targets, internal workings and, most importantly for the calculator, financial consequences of credential stuffing.
The calculator provides an estimate of the financial risk for any company doing business with customers via a website or mobile APIs, based on the following variables:
- Total daily login attempts
- Percentage of logins that are credential stuffing attacks
- Percentage of those attacks that result in an ATO
- Percentage of ATOs that result in financial loss
- Average dollar loss per ATO
- Other costs per ATO. These may include fees, consultants, investigations, financial penalties and negative impact on the brand.
Automated for Convenience
Obviously, most companies that aren’t customers of Shape Security won’t know what numbers to enter in the calculator’s fields for variables 2 through 5. Even companies that have implemented IP blocks or other “I am not a robot” technologies can’t be sure about these numbers because today’s most sophisticated (and most successful) attackers use technology that can easily defeat traditional security measures.
For this reason, our Credential Stuffing Calculator automatically fills in these variables for the four most frequently attacked industry sectors: consumer banking, retail (e-commerce), airlines and hotel chains, based on industry data we’ve gathered and analyzed in the course of protecting literally billions of accounts. (Some users will probably be shocked at the percentage of logins in their industry that are both automated and hostile.)
In addition to the automatic fill-in feature, variables 2 through 5 can also be manually adjusted. This allows users to calculate upper and lower limits to the estimated risk, i.e. worst case and best case scenarios. This also enables users outside of the four target industries to enter values that seem appropriate.
Variable 6, Other costs per ATO, is a somewhat softer number, but these costs are often very high. For example, according to one study, a third of the companies that experienced a major data breach in 2016 lost 20 percent of their customers. Beyond damage to a brand’s reputation, there are fines, notification costs and remediation costs for IT systems that also come into play.
Evaluating the Result
The Credential Stuffing Calculator lets companies quantify their risk, based on statistical averages calculated from actual industry data, and gives them a ballpark number to help them decide how much they should consider spending to protect themselves (and their customers) against credential stuffing. The 2018 Credential Spill Report provides even more information to help companies understand the precise nature of the threat facing them.
Credential stuffing is a relatively new problem, and it’s serious. Understanding how it works and quantifying its consequences are critical steps for companies that want to fight back.
Try the Credential Stuffing Calculator now.
