Brief

The 2018 Credential Spill Report

In the 2018 Credential Spill Report, Shape Security details how criminalsweaponized 2.3 billion stolen credentials, profiting to the tune of hundredsof millions of dollars from account takeovers (ATO), stolen miles and lostopportunities.

We correlate the attacks with our own data from the 1.6 billion onlineaccounts we protect from credential stuffing on behalf of our customers,among whom are 60% of airlines, 40% of hotels, and 40% of consumerbanking in the US.

Bypassing common countermeasures

One truth that comes through from the data and our experience is that attackers will always retool after a mitigation. We’ve seen attackers bypassing:

  • CAPTCHA3, reCAPTCHA, and No CAPTCHA
  • SMS-based 2-Factor Authentication
  • IP-based rate limiting, WAFs and CDNs

Attackers react to friction-inducing 2FA by credential-stuffing the login pages of the telco’s, breaking into the accounts, and getting 2FA codes there. Their success rate is as high as 19%!

The Credential Spill Report offers detailed breakdowns among four industries: financial, hospitality, retail and travel. For example, the graph above shows a large-scale credential stuffing attack against aTop 3 Hotel that took place over 16+ hours. The attack attempted to takeover guest accounts in order to steal loyalty points. Human traffic is in green (1000 requests/min). Automated traffic is in red and was blocked by Shape (15,000 requests per minute).

Exploitation of the Aggregators

Financial aggregators like Intuit’s Mint, Yodlee and Plaid allow users to have a consolidated view of their finances. But this broad coverage of user accounts gives a ‘one-stop shop’ for credential validation. Even worse, often aggregators are white-listed into bank APIs, delivering attackers right through defenses.

Who should read the Shape report?

Retailers. Hoteliers. Bankers. Airline execs. Ticket sellers. Gift cardoperators. Fraud managers and risk compliance officers.IT security directors. Anyone running a website where amedium-to-high value asset is on point, on display, or on sale.Download the report today, and see why so many press articlesreference the 2018 Shape Credential Spill report.

Stay Informed

Get all the latest news about Shape Security directly sent to your inbox.

Register Now