You wake up and get into your morning routine. You log in to your social media for a few laughs, you go on about your day. You beat the traffic and are at work, you send an email to your colleague—next, you realize you need an upgrade for your project management tool so you go ahead and approve an online payment for it—you found an article which claimed to provide a report to the newest strategy trends for your business, you provide your details and download the report.
Throughout the day you log in to multiple websites and applications. In your digital history, you leave your trace everywhere you go, making multiple accounts with either the same password or passwords with insignificant tweaks.
In this process, as a digital necessity, you leave a trail of information everywhere. Once such information is compromised, you are left as an open target for a sea of cyber-attacks.
This process is taken advantage of by the cyber-attack—credential stuffing.
What is credential stuffing?
Credential stuffing is when attackers obtain a large number of stolen credentials and “stuff” them on login servers using automated tools.
This is done in an attempt to break open several accounts.—as a result, further launching attacks with intentions of stealing identities to deepen their roots in the organization to impersonate someone, which is eventually done to steal either data or money.
This strategy is mainly reliant on the predictability of human behavior – the attributes of which span repeating passwords and trusting third-party websites.
How is credential stuffing done?
Credential stuffing does not require a lot of resources and often, credentials are obtained easily as they are abundantly available for sale on dark web platforms, and at times credentials can be bought for as low as $10. Hackers would also have access to software apps that automate the login attempts (several of which are free), and proxy servers to stay below the radar of systems detecting multiple logins from the same IP address.
During the second half of 2018 alone, 28 Billion log in attempts for credential stuffing were made, this number is ever-increasing and doesn’t show signs of slowing down with all the data at the hands of hackers today.
Yet, what it does require is patience to automate the logins of millions of credentials to see which one lets them breach the system. Out of million credentials at the disposal of hackers, there is only a 0.1 to 2% chance of finding a match to the account in the system. These logins are bounced around the web to ensure they look like they are coming from various IP addresses and alter the login request properties to ensure they seem like they are from a myriad of browsers.
As a further measure to stay out of sight, hackers follow the “low and slow” method. Here, they only make a couple of logins every hour which does not alarm the security systems.
Credential stuffing is a long process that utilizes the credentials obtained from the various sources made available due to data breaches and phishing attacks. The organization is unaware of an attack taking place until it is too late to recover from it, resulting in organizations losing their credibility, trust from the customers and not to mention, significant money.
The stolen account information is further taken advantage of, on multiple levels. From the credentials obtained, purchases are made through the user’s credit card information often taken from e-commerce websites. In addition, stolen media service accounts are targeted for pirate resells, online payment wallets utilized to empty the user’s wallet amount….. it’s rather an unfortunate set of ways to take advantage of users.
All of this is solely dependent on taking advantage of a user’s liability and their risky security behavior.
Why does this happen?
• Poor password hygiene: Most of us fall under the category of repeating our passwords. Is your password related to personal information that may or may not be available easily? Are your other passwords mirrors of the same password with minor changes? Given how on average, each one of us has 90 online accounts, it is quite impossible to remember 90 unique passwords. Unfortunately, credential stuffing bets on this very error-prone human behavior and utilizes it to its advantage.
• Human error: Credential stuffing attacks are further deepened by stealing identities of the accounts matched with their credentials and launch series of spear-phishing attacks. Once this identity is stolen, the hacker impersonates the user to seek information from trusted accounts associated with this identity. The hacker may send an email that requires emergency action, and since the email is coming from a trusted source, the recipient may click on the link provided and divulge sensitive information.
• Credential breaches: Data breaches are a mainstream headline feature every other day now. A recent data breach allowed hackers to obtain 117 million passwords which were later sold on the dark web. Furthermore, all these passwords and usernames, have been combined with credentials obtained from prior breaches and made into a mammoth of stolen data. This combined stolen data of 2.2 billion credentials have been openly given away on sources like torrents. The hackers today don’t even have to pay a price to obtain your data, it’s given to them on a platter!
What can you do to prevent credential stuffing?
• Empower your users with an efficient password manager which can transform your password security and keep you prepared for an attack. This also lets you provide more stringent password creation criteria, eliminating risky human behavior with passwords.
• Educate your users with the best practices of password hygiene and the ways to deal with malicious emails. Your users must be aware of ways to handle suspicious emails and understand the risks associated with willingly providing information to third-party sites without verifying the authenticity of the said sites.
• Use a well-rounded Multi-Factor Authentication tool. Today, even Two-Factor Authentication may not cut it. You should obtain solutions that consider factors like location, time, IP address, time, role, and personal information while verifying a login attempt and block users based on unusual behavior – a step that can detect and prevent a possible attempt at credential stuffing.
Today, data is the digital asset we have–it is being sold, distributed, hacked, and impersonated. As hackers get more skilled with easier access to resources, it is equally important that organizations get smarter with new technology adoptions and mandate best practices.
Are you ahead of your hacker?
