How Credential Stuffing Threatens Your Company…and How to Prevent It
With barely a blip in the cybersecurity world a decade ago, within a few months in 2018, “credential stuffing” unleashed a whopping 2.8 billion automated bot attacks in the USA.
That equates to more than 115 million login attempts per day!
Those under a credential stuffing attack can be harmed on multiple sites or accounts due to a snowball effect. For example, when someone reuses a password or constructs a variation of a password for other applications, a hacker can guess these, making multiple hacks easy.
When hackers use credentials from organizations to login and hijack customer accounts, not only will the company suffer revenue loss and brand damage, but their customers can, too.
In this blog, we will walk you through the credential abuse lifecycle and discuss the best ways to respond to attacks and mitigate damage to your business.
First things first.
What is Credential Stuffing?
Credential stuffing is a relatively new term. It describes the method of using a list of stolen credentials that were acquired during security breaches. Using these stolen user IDs and passwords, a criminal can then access numerous sites, usually through automated tools.
Cybercriminals take over accounts and commit widespread fraud on companies and their customers.
If you’re an organization, think of credential stuffing as a brute force attack that focuses on infiltrating accounts. A hacker needs skill to do this (or software from another skilled hacker). Once a hacker gets into the web application, they can crack open a company’s database which carries millions of usernames, passwords, and other personally identifiable information.
After a hacker gets all that data, they do major damage to countless people. So what happens when you aren’t prepared for an attack?
Disastrous effects of credential stuffing:
- Increased security cost
- Lost revenue from downtime
- Remediation costs and fees
- Strain on call center and IT
- Customer mistrust and churn
As you can see, when a business suffers from stolen credentials, it can cost them dearly. In fact, it’s been reported that in the USA, credential stuffing costs businesses over $5 billion per year. Aside from that, cybercriminals also steal a company’s resources and reserves that should be spent elsewhere.
Examples of Recent Attacks
With the discovery of new vulnerabilities and exploits daily, it’s clear that cyberattacks are on the rise. Various instances demonstrate that each attack is more sophisticated than the last. Let’s look at a few recent examples:
- On July 24, 2019, British telco Sky announced that customer accounts had been locked due to a credential stuffing attack. As a safety precaution, Sky asked customers to follow a multi-process unlock-and-reset procedure.
- In the first quarter of 2019, a Sydney man was arrested by the Australian Federal Police for allegedly selling almost one million accounts from popular streaming services like Netflix, Hulu, and Spotify.
- Dunkin’ Donuts (AKA Dunkin’) released a security notification in February 2019 stating that users of their DD Perks reward program were breached and hackers may have access to customer accounts. This marked the second attack in three months for this popular chain.
- State Farm, a US insurance giant, also suffered a credential stuffing attack in 2019. The company disclosed that the hacker was able to confirm several valid usernames and passwords from customer accounts.
How to Detect Credential Stuffing Attacks
The surge in automated credential theft indicates that this is no longer a single-attacker operation. Today, hackers send armies of bots to conduct thousands of commands, resulting in millions of stolen data. But it gets worse. In what is called “the biggest collection of breaches” to date, billions of stolen records were compiled and shared for free on hacker forums. This included data from Yahoo and LinkedIn.
So, how can you detect bot attacks? Here are the warning signs.
- Check for changes in site traffic like multiple login attempts on multiple accounts, within a limited timeframe.
- Never overlook use cases where you witness a higher-than-usual login failure rate.
- Be aware of any recorded downtime caused by an increase in site traffic.
But beware: These bot detection techniques aren’t 100% effective. You’ll need extra protection—called bot screening—to stop these credential-stealing bots.
Bot screening is a sophisticated screening technology for detecting malware on your devices.
It’s built to monitor the telltale signs of bot activity such as the number of attempts, the number of failures, access attempts from unusual locations, unusual traffic patterns, and unusual speed.
Luckily, you’ll find bot detection in a robust customer identity and access management solution (CIAM). A CIAM platform will also provide device authentication and customer data protection.
How Credential Stuffing Works
Want to know the methods behind the madness? In a nutshell, here’s a hacker’s process:
- Hacker gets stolen data: Criminals share or sell data on public websites and the Dark Web.
- Hacker utilizes data: Using stolen passwords and usernames, hackers attempt website logins.
- Hacker achieves goal: After gaining access to a victim’s site, hackers get more valuable information for more attacks, or to sell.
A Hacker’s Toolbox
Let’s peek at what hackers use to do their dirty deeds.
Step 1: Download a combo list
A combo list is a combined list of leaked credentials obtained from corporate data breaches conducted in the past. These are often available for free within hacking communities or listed for sale in underground markets.
Step 2: Upload a credential stuffing tool
Sophisticated hackers develop plugins or tools called account checker tools. These contain custom configurations that can test the lists of username/password pairs (i.e. “credentials”) against a target website. Hackers can attack sites either one by one, or via tools that hit hundreds of sites at once.
Step 3: Analyze and access accounts
Hackers use account-checking software to successfully log into financial accounts.
Step 4: Export results from accounts
Match found. What’s next? When a match is found, they can easily view a victim’s account balance and gain access to cash, reward points, and/or virtual currencies.
Step 5: Steal funds and resell access
Because hackers use genuine user credentials, they gain undetected access. What follows is a full-fledged account takeover. Next, the attacker can drain the account in seconds and/or resell access to other cybercriminals.
How to Prevent Credential Stuffing
Preventing these attacks is possible. Keep your company safe and protect customer data by following these tips.
- Block bots.
One of the most effective ways to differentiate real users from bots is with captcha. It can provide defense against basic attacks.
But beware: solving captcha can also be automated. There are businesses out there that pay people to solve captchas by clicking on those traffic light pictures.
To counter this issue, a new service has been released in the market as reCAPTCHA. You can choose between three available versions:
- The classic “I’m not a robot” checkbox
- An “invisible” box, displayed only for suspicious users
- A “V3” that evaluates users on reputation and behavior
- Implement multi-factor authentication.
Two-factor or multi-factor authentication (2FA or MFA) blocks 99.9% of account hacks. Of the two, MFA is more robust because it uses more methods to verify user identities. This makes MFA better at preventing credential stuffing attacks.
Here’s how two-factor and multi-factor authentication work: A customer enters their password, and then must also verify their identity again before access is granted. A common example of 2FA is receiving a one-time code on your phone and using that to authenticate identity. Whereas with MFA, a customer might get a code via text message, plus an email, depending on how your company sets that up.
For this reason, multi-factor or two-factor authentication makes it extremely difficult for hackers to execute credential stuffing attacks. The more obstacles you give a hacker, the safer your site will be.
- Adopt a strong password guide.
For all of your password input fields, set password complexity rules like length, character, or special character validation. If a customer’s password matches one from a data breach, they should get a warning to create a new password. Likewise, provide customers with tips on building stronger passwords during their password-creation process.
Giants like Facebook and Google have appointed teams that look for the latest leaks and notify users with the same credentials. If you’d like to do the same, look into customer identity and access management (CIAM) software with a built-in password manager.
- Disallow email addresses as user IDs
Email addresses and user IDs should not be the same. When a username is simply an email, the attacker can figure this out easily. Now all they have to do is crack the password—and they’ve got the credentials to do it.
Basically, using an email for a username makes a hacker’s job too easy. That’s why it’s wise to have content on your company’s site, or in newsletters and social media, that give your customers tips on password security.
- Set up risk-based authentication.
Risk-based authentication (RBA) calculates a risk score based on a predefined set of rules. These would be related to a login device, IP reputation, user identity details, geolocation, geo velocity, personal characteristics, data sensitivity, or preset amount of failed attempts. In the case of high-risk scenarios, you should consider using this customizable password security solution.
- Set up passwordless login.
As you’ve seen with risk-based authentication, organizations can create temporary account lockouts when a bad user breaks any rules. However, did you know that hackers can also deny you access to your own resources, once they break in? That’s why companies also use passwordless authentication—it’s a safe way to authenticate a valid user for safe access into an account.
- Use fingerprinting libraries.
Fingerprinting is the technique of gathering a combination of data, which when used as a whole, cannot be duplicated elsewhere. There are common fingerprinting libraries where you can collect client-side telemetry and start working on them right away.
With this data, you can map client similarities across large slices of traffic and come up with suspicious patterns you’d have overlooked, otherwise.
Credential stuffing is easy to perform, so its popularity with criminals will increase with time. Even if your business isn’t affected yet, you must protect your website and watch for all the red flags that we listed in this blog.
If you’re looking for a solution to help prevent credential stuffing, look into LoginRadius. Our platform is easy to deploy and provides robust security including risk-based authentication, bot detection, multi-factor authentication, and other safeguards. We even integrate with Google Authenticator.