Intelligent CIO APAC Issue 12 | Page 33

EDITOR ’ S QUESTION
RICHARD MARR , GENERAL MANAGER
APAC AT AUTH0

Hackers are continually becoming more creative and refining their tactics to steal and sell user data . As our lives are more reliant on digital platforms at work and at home , there is an increased threat around online account credentials .

A key development was the use of botnets and automated tools . Traditionally , brute force-type attacks are easy to mitigate , but once you spread them across a huge number of bots – where each bot has its own IP and most of them are recycled from residential IP addresses ( not blacklists ) – one bot sending five requests every 10 minutes doesn ’ t look that suspicious . credentials are reused on a second website , you can still take over a significant number of accounts .
Multiply that by ten-thousand , and you ’ re getting somewhere , and the victim site doesn ’ t really notice . It ’ s not like your company ’ s internal records are one day posted on the Internet . It ’ s a slow attrition of user accounts that you may not be aware of .
In most cases of cyberattack , identity isn ’ t just the safe – it ’ s the keys . The use of stolen credentials is one of the most common methods used in observed data breaches according to the 2020 Verizon Data Breach Investigations Report .
In APAC , 30 % of hacking attacks used stolen credentials or exploited vulnerabilities against web applications . We know people reuse their passwords . So , hackers simply take credentials leaked in data breaches and try them against other sites .
They do this in an automated fashion that is called a credential stuffing attack , so that they can try thousands of credentials over time . It ’ s really a numbers game . If just 0.01 % of a massive list of
The resulting fraud can range from everyday purchase of goods , gift cards or voucher codes at e-commerce firms , to stealing points in loyalty programs of airlines and hotel chains . The theft of insignificant amounts
If just 0.01 % of a massive list of credentials are reused on a second website , you can still take over a significant number of accounts .
of money from companies means they often go unnoticed , but the cost to the business can add up .
According to a study by Ponemon Institute , credential stuffing attacks in the region cause costly application downtime , loss of customers and involvement of IT security that can result in an average cost of $ 1.2 million , $ 1.5 million and $ 1.1 million annually , respectively .
www . intelligentcio . com INTELLIGENTCIO APAC 33