ecently, you may have heard about a company that experienced a data breach, and because you didn’t patronize this company, you presumably breathed a sigh of relief.
But don’t get too comfortable — chances are your data may get compromised in the next breach, or the one after that. When there’s a big data breach, we all lose. It’s not just the consumers whose personal information was hijacked. It’s not just the victimized organization that has to deal with damage control and the legal and reputational aftermath.
Everyone loses. And we’ll keep on losing until we break the breach cycle.
Sadly, a healthy chunk of that stolen data, which often include names, email addresses, phone numbers, usernames and passwords, is destined for the dark web. That data is then bought and sold like pork bellies on the Chicago Mercantile Exchange and then weaponized by cybercriminals for large-scale account takeovers.
But, there’s also some good news on the horizon as new methods of biometric-based identity proofing and authentication, with embedded certified liveness detection, can help ameliorate the impact of these data breaches. But, let’s start by examining how cybercriminals exploit the data compromised stolen from these breaches.
Pass the Credential Stuffing, Please
When it comes to data breaches we all should be concerned. Today, cybercriminals can take full advantage of big data, high-velocity software and bot-based automation to access our online accounts. The technique used to perform account takeovers en masse is called credential stuffing — a cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.
Digital security company, Akamai, recorded nearly 30 billion credential stuffing attacks in 2018. Each attack represented an attempt by a person or computer to log in to an account with a stolen or generated username and password. The vast majority of these attacks were performed by botnets or all-in-one applications. If you’re like the majority of users out there, you probably reuse the same password across a variety of websites, which means you’re even more exposed.
Unfortunately, because of the frequency and scale of recent data breaches, combined with the speed and reach of botnets, there’s a general consensus that the worst is yet to come.
Statistically speaking, credential stuffing attacks have a very low rate of success. Many estimates have this rate at about 0.1%, meaning that for every thousand accounts an attacker attempts to crack, they will succeed roughly once.
But before you dismiss this as an inconsequential threat, consider how large a pool these cybercriminals are leveraging. Back in February, TechCrunch reported that a batch of 127 million records stolen from eight companies was available on dark web market Dream Market. The asking price? $14,500 (naturally payable in bitcoin), which translates to a cost of 11 cents per 1,000 records. The sheer volume of the credential collections being traded by attackers makes credential stuffing worth it, in spite of the low success rate.
So, if an attacker purchased the aforementioned 127 million records, his bots would probably yield around 127,000 successfully cracked accounts. Once these accounts are cracked, cybercriminals can mine these legitimate accounts for profitable data often in the form of credit card numbers or sensitive data that can be used in phishing attacks. Plus, the attacker is likely to target other online accounts (banking, social media, email) of that same user since passwords are often recycled across multiple websites and online services.
That’s where the real sting of a data breach occurs — it’s the downstream damage that happens when a cybercriminal hacks into legitimate accounts. And what facilitates all this damage is our collective reliance on the simple password.