Content delivery network Akamai says nearly half of all online login attempts are performed by cybercriminals trying to break into accounts containing sensitive user data.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- A report from Akamai reveals that 43% of all online login attempts are malicious. The three most-attacked industries are hospitality (82%), high tech (57%), and retail (36%).
- Credential theft is a digital epidemic, and it requires action from both website operators and users to treat. Companies need to pay more attention to their login portals to recognize suspicious activity, and users need to use unique, hard-to-guess passwords and password managers. —TechRepublic
US-based content delivery network Akamai, in its Q4 2017 State of the Internet/Security report, alarmingly claims that 43% of all online login attempts are malicious. Akamai defines these malicious requests as "attempts to log in to an account using password guessing or account details gathered from elsewhere on the Internet."
As The Register points out, the actual number may be even higher, because Akamai's data only includes websites that use email addresses as usernames, not those that have a separate login ID.
Regardless of whether Akamai understates the threat, this statistic should be alarming to anyone who operates—or uses—a website that stores personally identifying information or financial details like credit card numbers or bank accounts.
Webmasters and users should be especially concerned if they work in, or make frequent use of, the hospitality industry: Akamai says that 82% of login attempts on hotel and travel-related sites were malicious.
Risky (online) business
Akamai's method for determining whether a login attempt is malicious involves "identifying IP addresses that make multiple attempts to log into accounts using leaked credentials with no other activity to the target site." It breaks attempts down into high-speed bursts of login attempts and slow, long-term attempts to gain access.
By sheer numbers, retail websites account for more fake login attempts than hospitality websites, which ranked second in total number of credential abuse attempts (high tech websites rank third by this metric).
SEE: IT leader's guide to reducing insider security threats (Tech Pro Research)
That only tells half the story, Akamai said, when you consider fake login attempts alongside the total number of attempts. With that in mind, high tech websites jump to second place, with 57% of login attempts on their websites being malicious, and retail falls to third with 36%.
Hospitality jumps far ahead of the rest, which Akamai said is due to how tempting they are as targets. "Ask anyone on the security team at a hotel chain and they will tell you how hard they have to work to protect their user accounts," the report said. "[Attackers] are aware that these sites have large pools of credit card numbers for them to drain."
The report said that airlines, hotels and resorts, and online travel agencies are the most frequently attacked hospitality websites.
Reassessing the importance of secure logins
Akamai draws an expected, but nonetheless disheartening, conclusion about credential abuse: It's only going to continue. Internet users frequently reuse passwords, it said, and many websites pay little heed to the security of their login portals.
Credential theft is an online epidemic. Whether username and password combinations are phished from users or stolen in a data breach matters little; login information is stolen regularly and can readily be found for sale on the dark web.
While it would be simple to tell website operators to enhance their security, that alone isn't enough when so many passwords are weak and easily compromised.
Internet users need to take responsibility for the safety and security of their accounts just as much as site operators do: Use a password manager, auto-generate random passwords, and subscribe to services like Have I Been Pwned to be notified if your credentials have been part of a breach.
Being secure online takes a lot of work, but it requires the combined efforts of site operators and users.
- Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
- Face, fingerprint, passwords, or PIN: What's the best way to keep your smartphone secure? (ZDNet)
- Password managers: A cheat sheet for professionals (TechRepublic)
- Surprise! Your online banking password might not be as secure as you thought (ZDNet)
- Five password management apps that will work on all your devices (TechRepublic)