Credential Stuffing: Understanding Another Cyber Threat
Most users don’t practice good Internet hygiene, instead taking the easy route such as reusing the same login credentials across many accounts. This makes the login page a target for credential stuffing, regardless of whether your organization has experienced a data breach.
Through this fraud technique an attacker can purchase goods or services, take out bank loans, or steal medical information, for example. Credential stuffing can hurt your business, customers, and reputation -- with risk being commensurate with transaction value.
So what is credential stuffing? Credential stuffing is an emerging form of attack that can produce account takeover through automated Web injection by botnets.
Credential stuffing isn’t a brute force attack. It doesn’t attempt to guess passwords. Rather, the attacker uses a botnet to automate the logins for thousands to millions of previously discovered credential pairs using Web automation tools available online. “For attackers, it’s simply a numbers game; a 1% success rate of 1 billion attempts will result in 10 million breaches,” described Frost & Sullivan in a 2017 report, “Advancing to Bot Management and Security: Credential Stuffing Becomes Top Concern.”
Credential stuffing attacks have five phases:
- The attacker acquires usernames and passwords from a website breach or through a password dump site.
- The attacker tests the stolen credentials with an account checker against many websites (social media, online retailers, and so on).
- Successful logins at the sites accessed in step two allow the attacker to gain control of the account matching the stolen credentials.
- The attacker then accesses the stolen accounts and downloads their stored values, including credit card numbers, and other identifiable user information.
- The attacker uses the account information going forward for transactional, spam, or other purposes.
Credential stuffing may appear to impact individuals alone. But that’s not the case.
Company policies usually forbid employees to use their work email or credentials to sign up for services online. They do it anyway -- and credentials found within stolen databases are often directly associated with individuals who use the identical or similar versions of login credentials for work and personal accounts. If work email or credentials get hacked, then a company’s proprietary information, customer lists, and even financial documents are at a high risk of exposure. Attackers can exploit private communications, lists, and networks by leveraging stolen employee login credentials to access a business’s information.
- Watch for these indicators, and take defensive actions:
- Look for multiple attempted logons from the same IP addresses.
- Monitor higher traffic volumes that originate from foreign or regional locations or detect browser anomalies.
If there is unusual traffic flow through the site and/or APIs, this may indicate the use of automation used to implement the attack.
Another technique to consider employing is regularly checking users’ passwords to ensure they’re not in breach of policy and disallow them if they are.
The National Institute of Standards and Technology released an updated Special Publication 800-63B on Digital Identity Guidelines. The guidance counters the long-held belief that passwords must be long and complex. The new guidelines recommend that passwords should be “easy to remember” but “hard to guess.” The new guidance suggests usability and security go hand in hand.
To head off credential stuffing before it hits your organization, consider deploying technologies such as the following:
- Multi-Factor Authentication (MFA) -- MFA combines two or more independent credentials, creating a layered defense to make access more difficult for an unauthorized person or device. When one factor is compromised or broken, the attacker still has at least one more barrier before successfully breaking into the target. True MFA is the best defense against credential stuffing attacks.
- Multi-Step Login Process -- Multi-step authentication requires two physical keys, or two passwords, or two forms of biometric identification. For example, after providing the password a user would be required to also provide the one-time password displayed on his or her phone.
- IP Blacklists -- Attacker requests probably originate from a few (or one) IP addresses. IP addresses attempting to log into multiple accounts can be blocked or isolated. Monitoring and tracking IP addresses can be used to eliminate (most) false positives. Use the last several IP addresses that the user's account logged in from and compare them to the suspected "bad" IP. Limit the IP address bans to 15 minutes. This can reduce the negative impact to the user and business services.
- Device Fingerprinting -- Device fingerprinting is a method for identifying a device (PC, laptop, tablet phone) based on its unique configurations. A simple implementation would be operating system + geolocation + language.
- Stop Email Addresses as IDs -- Not using email addresses as user IDs helps prevent spearfishing attacks against such users, because the email associated with the user account is far less obvious.
As security organizations become more sophisticated, so do the attackers -- and in most cases, more so than businesses. Safeguarding your company starts with understanding credential stuffing threats and knowing the best approaches for stopping them.