What Is Credential Stuffing Attack and How You Can Prevent It? With barely a blip in the cybersecurity world a decade ago, within a few

months in 2018, “credential stuffing” unleashed a whopping 2.8 billion

automated bot attacks in the USA.

That equates to more than 115 million login attempts per day!

Those under a credential stuffing attack can be harmed on multiple sites or

accounts due to a snowball effect. For example, when someone reuses a

password or constructs a variation of a password for other applications, a

hacker can guess these, making multiple hacks easy.

When hackers use credentials from organizations to login and hijack customer

accounts, not only will the company suffer revenue loss and brand damage,

but their customers can, too.

In this blog, we will walk you through the credential abuse lifecycle and

discuss the best ways to respond to attacks and mitigate damage to your

business.

First things first.

Credential Stuffing:

Credential stuffing is a relatively new term. It describes the method of using a

list of stolen credentials that were acquired during security breaches. Using

these stolen user IDs and passwords, a criminal can then access numerous

sites, usually through automated tools.

Consequence?

Cybercriminals take over accounts and commit widespread fraud on

companies and their customers.

If you’re an organization, think of credential stuffing as a brute force attack

that focuses on infiltrating accounts. A hacker needs skill to do this (or

software from another skilled hacker). Once a hacker gets into the web

application, they can crack open a company’s database which carries millions

of usernames, passwords, and other personally identifiable information.

After a hacker gets all that data, they do major damage to countless people.

So what happens when you aren’t prepared for an attack?

Disastrous effects of credential stuffing:

● Increased security cost

● Lost revenue from downtime

● Remediation costs and fees

● Strain on call center and IT

● Customer mistrust and churn

As you can see, when a business suffers from stolen credentials, it can cost

them dearly. In fact, it’s been reported that in the USA, credential stuffing

costs businesses over $5 billion per year. Aside from that, cybercriminals also

steal a company’s resources and reserves that should be spent elsewhere.

Examples of Recent Attacks

With the discovery of new vulnerabilities and exploits daily, it’s clear that

cyberattacks are on the rise. Various instances demonstrate that each attack

is more sophisticated than the last. Let’s look at a few recent examples:

● On July 24, 2019, British telco Sky announced that customer accounts

had been locked due to a credential stuffing attack. As a safety

precaution, Sky asked customers to follow a multi-process

unlock-and-reset procedure.

● Dunkin’ Donuts (AKA Dunkin’) released a security notification in

February 2019 stating that users of their DD Perks reward program

were breached and hackers may have access to customer accounts.

This marked the second attack in three months for this popular chain.

● State Farm, a US insurance giant, also suffered a credential stuffing

attack in 2019. The company disclosed that the hacker was able to

confirm several valid usernames and passwords from customer

accounts.

How to Detect Credential Stuffing Attacks

The surge in automated credential theft indicates that this is no longer a

single-attacker operation. Today, hackers send armies of bots to conduct

thousands of commands, resulting in millions of stolen data. But it gets worse.

In what is called “the biggest collection of breaches” to date, billions of stolen

records were compiled and shared for free on hacker forums. This included

data from Yahoo and LinkedIn.

So, how can you detect bot attacks? Here are the warning signs.

● Check for changes in site traffic like multiple login attempts on multiple

accounts, within a limited timeframe.

● Never overlook use cases where you witness a higher-than-usual login

failure rate.

● Be aware of any recorded downtime caused by an increase in site

traffic.

But beware: These bot detection techniques aren’t 100% effective. You’ll need

extra protection—called bot screening—to stop these credential-stealing bots.

Bot screening is a sophisticated screening technology for detecting malware

on your devices.

It’s built to monitor the telltale signs of bot activity such as the number of

attempts, the number of failures, access attempts from unusual locations,

unusual traffic patterns, and unusual speed.

Luckily, you’ll find bot detection in robust customer identity and access

management solution (CIAM). A CIAM platform will also provide device

authentication and customer data protection.

How Credential Stuffing Is Done

Want to know the methods behind the madness? In a nutshell, here’s a

hacker’s process:

● Hacker gets stolen data: Criminals share or sell data on public

websites and the Dark Web.

● Hacker utilizes data: Using stolen passwords and usernames, hackers

attempt website logins.

● Hacker achieves goal: After gaining access to a victim’s site, hackers

get more valuable information for more attacks, or to sell.

A Hacker’s Toolbox

Let’s peek at what hackers use to do their dirty deeds.

Step 1: Download a combo list

A combo list is a combined list of leaked credentials obtained from corporate

data breaches conducted in the past. These are often available for free within

hacking communities or listed for sale in underground markets (Darkweb).

Step 2: Upload a credential stuffing tool

Sophisticated hackers develop plugins or tools called account checker tools. These contain custom configurations that can test the lists of

username/password pairs (i.e. “credentials”) against a target website. Hackers

can attack sites either one by one or via tools that hit hundreds of sites at

once.

Step 3: Analyze and access accounts

Hackers use account-checking software to successfully log into financial

accounts.

Step 4: Export results from accounts

Match found. What’s next? When a match is found, they can easily view a

victim’s account balance and gain access to cash, reward points, and/or

virtual currencies.

Step 5: Steal funds and resell access

Because hackers use genuine user credentials, they gain undetected access.

What follows is a full-fledged account takeover. Next, the attacker can drain

the account in seconds and/or resell access to other cybercriminals.

How to Prevent Credential Stuffing

Preventing these attacks is possible. Keep your company safe and protect

customer data by following these tips.

1. Block bots.

One of the most effective ways to differentiate real users from bots is with

captcha. It can provide defense against basic attacks.

But beware: solving captcha can also be automated. There are businesses

out there that pay people to solve captchas by clicking on those traffic light

pictures.

To counter this issue, a new service has been released in the market as

reCAPTCHA. You can choose between three available versions:

● The classic “I’m not a robot” checkbox

● An “invisible” box, displayed only for suspicious users

● A “V3” that evaluates users on reputation and behavior

2. Implement multi-factor authentication.

Multi-factor authentication (2FA or MFA) blocks 99.9% of account hacks. Of

the two, MFA is more robust because it uses more methods to verify user

identities. This makes MFA better at preventing credential stuffing attacks.

Here’s how multi-factor authentication work: A customer enters their

password, and then must also verify their identity again before access is

granted. A common example of 2FA is receiving a one-time code on your

phone and using that to authenticate identity. Whereas with MFA, a customer

might get a code via text message, plus an email, depending on how your

company sets that up.

For this reason, multi-factor authentication makes it extremely difficult for

hackers to execute credential stuffing attacks. The more obstacles you give a

hacker, the safer your site will be.

3. Adopt a strong password guide.

For all of your password input fields, set password complexity rules like

length, character, or special character validation. If a customer’s password

matches one from a data breach, they should get a warning to create a new

password. Likewise, provide customers with tips on building stronger

passwords during their password-creation process.

Giants like Facebook and Google have appointed teams that look for the

latest leaks and notify users with the same credentials. If you’d like to do the

same, look into customer identity and access management (CIAM) software

with a built-in password manager.

4. Disallow email addresses as user IDs

Email addresses and user IDs should not be the same. When a username is

simply an email, the attacker can figure this out easily. Now all they have to do

is crack the password—and they’ve got the credentials to do it.

Basically, using an email for a username makes a hacker’s job too easy.

That’s why it’s wise to have content on your company’s site, or in newsletters

and social media, that give your customers tips on password security.

5. Set up risk-based authentication.

Risk-based authentication (RBA) calculates a risk score based on a

predefined set of rules. These would be related to a login device, IP

reputation, user identity details, geolocation, geo velocity, personal

characteristics, data sensitivity, or preset amount of failed attempts. In the

case of high-risk scenarios, you should consider using this customizable

password security solution.

6. Set up passwordless login.

As you’ve seen with risk-based authentication, organizations can create

temporary account lockouts when a bad user breaks any rules. However, did

you know that hackers can also deny you access to your own resources, once

they break in? That’s why companies also use passwordless

authentication—it’s a safe way to authenticate a valid user for safe access into

an account.

7. Use fingerprinting libraries.

Fingerprinting is the technique of gathering a combination of data, which when

used as a whole, cannot be duplicated elsewhere. There are common

fingerprinting libraries where you can collect client-side telemetry and start

working on them right away.

With this data, you can map client similarities across large slices of traffic and

come up with suspicious patterns you’d have overlooked, otherwise.

Conclusion

Credential stuffing is easy to perform, so its popularity with criminals will

increase with time. Even if your business isn’t affected yet, you must protect

your website and watch for all the red flags that we listed in this blog.

If you’re looking for a solution to help prevent credential stuffing, look into

LoginRadius. Our platform is easy to deploy and provides robust security

including bot detection, multi-factor authentication, and other safeguards.