In today’s hyper-connected world, an average internet user has 25-30 online accounts but uses only five passwords for all of them. The credentials which are replicated across websites put users as well as online businesses at the risk of credential abuse attacks.

In today’s hyper-connected world, an average internet user has 25-30 online accounts but uses only five passwords for all of them. The credentials which are replicated across websites put users as well as online businesses at the risk of credential abuse attacks. Hackers and fraudsters, acquire a large set of credentials exposed during data breaches. The fact that credential re-use is common makes hackers perform account takeovers. They assume control of the account like the actual owner and are able to commit fraud, steal, alter and destroy data etc.

Credential abuse is one looming threat faced by almost every online business today. This brings us to talk about credential stuffing. Malicious login attempts result from credential stuffing, where hackers systematically use bots to try stolen login information across the web. These bots target login pages of banks and retailers based on the premise that many customers use the same login details for multiple accounts. From the beginning of November 2017 through the end of June 2018, more than 30 billion malicious login attempts were detected. The real danger of bots does not pertain to how effective they are against a single target but how much of an impact they can have on the larger ecosystem.

One prime example from the Akamai 2018 State of the Internet / Security Credential Stuffing Attacks2 report illustrates an attack identified at a credit union earlier this year. This financial institution saw an increase in malicious login attempts, which ultimately revealed a trio of bots targeting its site. Extrapolating this example to India, which according to the report is third on list of target countries for credential stuffing attacks2, it is very important to pay attention to the growing digital payments space in the country, which is set to become a trillion dollar market by 2023[1]. Be it the use of digital payments or bringing account sign-up services online, the leaders are clearly the ones that are enriching the online user experience with technology alongside agile operating models. With more users and devices coming online every day, usability and security are in constant stalemate to attain a balance, thereby posing a major challenge. However, fintech is not the only industry that faces bot related issues. India's e-commerce market which is set to grow three times to exceed 100 billion USD by 2022[2], also indicates the potential increase in the available online attack surface. E-retailers witness fraud in the form of fake bookings, price scraping and card abandonment amongst others. Festive season online sales are generally a very lucrative target for such bot attacks.

The lack of visibility into such malicious traffic is one of the key reasons due to which businesses suffer. There is a need to safeguard digital assets in all these cases. This is also coupled with the evolving internet hygiene in the country. As stated in the beginning, most of the internet users are still not paying enough attention towards changing their online passwords in a timely and orderly fashion. The changing nature of attacks is not only a point of concern for businesses but also for institutions like the Reserve Bank of India (RBI). The central bank's plans for 2018-19 include an enhanced level of protection against cyber risks to ensure continuous mitigation against the changing nature of internet threats. The evolving threat ecosystem in India calls for the need for a multi-layer defensive approach thereby eliminating credential stuffing threats.

The final aspect, but perhaps the most important one is to consider the costs borne by companies to prevent, detect and remediate credential stuffing attacks. The cost of credential stuffing in Asia-Pacific could go up to 28.5 million USD a year per organization. Using advanced user behaviour analysis techniques becomes imperative to provide businesses with insights into real-time bot traffic and actionable reporting. Businesses can then take the appropriate action on different types of bots, based on their business and IT impacts.