Upload
agrey
View
2
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. When hackers use credentials from organizations to login and hijack customer accounts, not only will the company suffer revenue loss and brand damage, but their customers can, too. Read this ppt to know about how you can respond to such attacks and mitigate the risks.
Citation preview
What Is Credential Stuffing Attack and How You Can Prevent It? With barely a blip in the cybersecurity world a decade ago, within a few
months in 2018, “credential stuffing” unleashed a whopping 2.8 billion
automated bot attacks in the USA.
That equates to more than 115 million login attempts per day!
Those under a credential stuffing attack can be harmed on multiple sites or
accounts due to a snowball effect. For example, when someone reuses a
password or constructs a variation of a password for other applications, a
hacker can guess these, making multiple hacks easy.
When hackers use credentials from organizations to login and hijack customer
accounts, not only will the company suffer revenue loss and brand damage,
but their customers can, too.
In this blog, we will walk you through the credential abuse lifecycle and
discuss the best ways to respond to attacks and mitigate damage to your
business.
First things first.
Credential Stuffing:
Credential stuffing is a relatively new term. It describes the method of using a
list of stolen credentials that were acquired during security breaches. Using
these stolen user IDs and passwords, a criminal can then access numerous
sites, usually through automated tools.
Consequence?
Cybercriminals take over accounts and commit widespread fraud on
companies and their customers.
If you’re an organization, think of credential stuffing as a brute force attack
that focuses on infiltrating accounts. A hacker needs skill to do this (or
software from another skilled hacker). Once a hacker gets into the web
application, they can crack open a company’s database which carries millions
of usernames, passwords, and other personally identifiable information.
After a hacker gets all that data, they do major damage to countless people.
So what happens when you aren’t prepared for an attack?
Disastrous effects of credential stuffing:
● Increased security cost
● Lost revenue from downtime
● Remediation costs and fees
● Strain on call center and IT
● Customer mistrust and churn
As you can see, when a business suffers from stolen credentials, it can cost
them dearly. In fact, it’s been reported that in the USA, credential stuffing
costs businesses over $5 billion per year. Aside from that, cybercriminals also
steal a company’s resources and reserves that should be spent elsewhere.
Examples of Recent Attacks
With the discovery of new vulnerabilities and exploits daily, it’s clear that
cyberattacks are on the rise. Various instances demonstrate that each attack
is more sophisticated than the last. Let’s look at a few recent examples:
● On July 24, 2019, British telco Sky announced that customer accounts
had been locked due to a credential stuffing attack. As a safety
precaution, Sky asked customers to follow a multi-process
unlock-and-reset procedure.
● Dunkin’ Donuts (AKA Dunkin’) released a security notification in
February 2019 stating that users of their DD Perks reward program
were breached and hackers may have access to customer accounts.
This marked the second attack in three months for this popular chain.
● State Farm, a US insurance giant, also suffered a credential stuffing
attack in 2019. The company disclosed that the hacker was able to
confirm several valid usernames and passwords from customer
accounts.
How to Detect Credential Stuffing Attacks
The surge in automated credential theft indicates that this is no longer a
single-attacker operation. Today, hackers send armies of bots to conduct
thousands of commands, resulting in millions of stolen data. But it gets worse.
In what is called “the biggest collection of breaches” to date, billions of stolen
records were compiled and shared for free on hacker forums. This included
data from Yahoo and LinkedIn.
So, how can you detect bot attacks? Here are the warning signs.
● Check for changes in site traffic like multiple login attempts on multiple
accounts, within a limited timeframe.
● Never overlook use cases where you witness a higher-than-usual login
failure rate.
● Be aware of any recorded downtime caused by an increase in site
traffic.
But beware: These bot detection techniques aren’t 100% effective. You’ll need
extra protection—called bot screening—to stop these credential-stealing bots.
Bot screening is a sophisticated screening technology for detecting malware
on your devices.
It’s built to monitor the telltale signs of bot activity such as the number of
attempts, the number of failures, access attempts from unusual locations,
unusual traffic patterns, and unusual speed.
Luckily, you’ll find bot detection in robust customer identity and access
management solution (CIAM). A CIAM platform will also provide device
authentication and customer data protection.
How Credential Stuffing Is Done
Want to know the methods behind the madness? In a nutshell, here’s a
hacker’s process:
● Hacker gets stolen data: Criminals share or sell data on public
websites and the Dark Web.
● Hacker utilizes data: Using stolen passwords and usernames, hackers
attempt website logins.
● Hacker achieves goal: After gaining access to a victim’s site, hackers
get more valuable information for more attacks, or to sell.
A Hacker’s Toolbox
Let’s peek at what hackers use to do their dirty deeds.
Step 1: Download a combo list
A combo list is a combined list of leaked credentials obtained from corporate
data breaches conducted in the past. These are often available for free within
hacking communities or listed for sale in underground markets (Darkweb).
Step 2: Upload a credential stuffing tool
Sophisticated hackers develop plugins or tools called account checker tools. These contain custom configurations that can test the lists of
username/password pairs (i.e. “credentials”) against a target website. Hackers
can attack sites either one by one or via tools that hit hundreds of sites at
once.
Step 3: Analyze and access accounts
Hackers use account-checking software to successfully log into financial
accounts.
Step 4: Export results from accounts
Match found. What’s next? When a match is found, they can easily view a
victim’s account balance and gain access to cash, reward points, and/or
virtual currencies.
Step 5: Steal funds and resell access
Because hackers use genuine user credentials, they gain undetected access.
What follows is a full-fledged account takeover. Next, the attacker can drain
the account in seconds and/or resell access to other cybercriminals.
How to Prevent Credential Stuffing
Preventing these attacks is possible. Keep your company safe and protect
customer data by following these tips.
1. Block bots.
One of the most effective ways to differentiate real users from bots is with
captcha. It can provide defense against basic attacks.
But beware: solving captcha can also be automated. There are businesses
out there that pay people to solve captchas by clicking on those traffic light
pictures.
To counter this issue, a new service has been released in the market as
reCAPTCHA. You can choose between three available versions:
● The classic “I’m not a robot” checkbox
● An “invisible” box, displayed only for suspicious users
● A “V3” that evaluates users on reputation and behavior
2. Implement multi-factor authentication.
Multi-factor authentication (2FA or MFA) blocks 99.9% of account hacks. Of
the two, MFA is more robust because it uses more methods to verify user
identities. This makes MFA better at preventing credential stuffing attacks.
Here’s how multi-factor authentication work: A customer enters their
password, and then must also verify their identity again before access is
granted. A common example of 2FA is receiving a one-time code on your
phone and using that to authenticate identity. Whereas with MFA, a customer
might get a code via text message, plus an email, depending on how your
company sets that up.
For this reason, multi-factor authentication makes it extremely difficult for
hackers to execute credential stuffing attacks. The more obstacles you give a
hacker, the safer your site will be.
3. Adopt a strong password guide.
For all of your password input fields, set password complexity rules like
length, character, or special character validation. If a customer’s password
matches one from a data breach, they should get a warning to create a new
password. Likewise, provide customers with tips on building stronger
passwords during their password-creation process.
Giants like Facebook and Google have appointed teams that look for the
latest leaks and notify users with the same credentials. If you’d like to do the
same, look into customer identity and access management (CIAM) software
with a built-in password manager.
4. Disallow email addresses as user IDs
Email addresses and user IDs should not be the same. When a username is
simply an email, the attacker can figure this out easily. Now all they have to do
is crack the password—and they’ve got the credentials to do it.
Basically, using an email for a username makes a hacker’s job too easy.
That’s why it’s wise to have content on your company’s site, or in newsletters
and social media, that give your customers tips on password security.
5. Set up risk-based authentication.
Risk-based authentication (RBA) calculates a risk score based on a
predefined set of rules. These would be related to a login device, IP
reputation, user identity details, geolocation, geo velocity, personal
characteristics, data sensitivity, or preset amount of failed attempts. In the
case of high-risk scenarios, you should consider using this customizable
password security solution.
6. Set up passwordless login.
As you’ve seen with risk-based authentication, organizations can create
temporary account lockouts when a bad user breaks any rules. However, did
you know that hackers can also deny you access to your own resources, once
they break in? That’s why companies also use passwordless
authentication—it’s a safe way to authenticate a valid user for safe access into
an account.
7. Use fingerprinting libraries.
Fingerprinting is the technique of gathering a combination of data, which when
used as a whole, cannot be duplicated elsewhere. There are common
fingerprinting libraries where you can collect client-side telemetry and start
working on them right away.
With this data, you can map client similarities across large slices of traffic and
come up with suspicious patterns you’d have overlooked, otherwise.
Conclusion
Credential stuffing is easy to perform, so its popularity with criminals will
increase with time. Even if your business isn’t affected yet, you must protect
your website and watch for all the red flags that we listed in this blog.
If you’re looking for a solution to help prevent credential stuffing, look into
LoginRadius. Our platform is easy to deploy and provides robust security
including bot detection, multi-factor authentication, and other safeguards.