Page 301 - Cyber Defense eMagazine September 2025
P. 301
• Only use step-up authentication in cases where the session risk score is high.
• Take into account device history, IP reputation, geolocation, and impractical travel.
4. Security Controls for APIs
• Keep web login flows and login APIs separate.
• As an illustration, apply rate limits and schema validation, especially for mobile app login APIs.
5. Transparency & User Education
• Inform clients about the dangers of password reuse and send out password breach notifications
when credentials are found to be reused.
• Openness fosters trust.
A Guide for CEOs and CISOs
Phase 1: Visibility & Discovery
• Map every login endpoint, including mobile flows and APIs.
• Benchmark failed login ratios: suspicious increases frequently indicate credential stuffing.
Phase 2: Incorporate Controls
• Enhance the current IAM with threat intelligence, bot detection, and adaptive authentication.
• Enhance IAM rather than completely replace it.
Phase 3: Ongoing Examination
• Conduct red-team drills that replicate credential stuffing in particular.
• Apply the concepts of chaos engineering to test the resilience of your login flow in the event of an
attack.
Phase 4: Involvement with Businesses
• Report credential stuffing as revenue loss and customer fraud rather than a "login failure issue."
• Frame board talks about revenue and reputational risk.
Conclusion: The Arms Race in AI Has Started
Automation versus defense has always been at the center of credential stuffing. However, AI has ushered
in a new era of intelligent, adaptable, and outsmarting robots.
The lesson for CISOs and CEOs is straightforward: IAM is important, but not enough.
Cyber Defense eMagazine – September 2025 Edition 301
Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
