Cyber Security: How to Prevent Credential Stuffing Attacks

Cyber Security: How to Prevent Credential Stuffing Attacks

Naveen Joshi 14/05/2019 2

Beware of an emerging security threat: Credential stuffing. This involves bots making high-volume login attempts with stolen user credentials to execute catastrophic account hijacking and takeovers.

A credential stuffing attack forced Reddit to reset their user passwords. The company locked users’ account and implored them to reset their passwords and employ a two-way authentication security method. 2019 witnessed the rise of spectacular cyber-attacks. 

Hackers are hungrily waiting for customer data. We know this sad truth, yet most of us fail to follow a good Internet practice. Often we see warnings popping up while setting up a new account on any login page, which alerts us about the strength of the set passwords. Ignoring all the warnings, most of us still use the same credentials across multiple accounts or just enter the simplest password, say 123456. These poorly-crafted login credentials become one of the ways for malicious actors to execute their illegal activities. Let’s explore how: 

What is credential stuffing? When a data breach occurs, customers' personal identifiable information are compromised, this also include their login credentials. Take the example of Linkedin’s 2012 security incident. In the wake of this security breach, the company lost 167 million account credentials

The spilled credentials are then used by hackers to execute their malicious agenda. They simply set an algorithm or design bots to test these breached credentials on a series of online applications. Due to the majority of reused and poor passwords, there is always a probability of 2 percent success rate for account takeovers

Successful logins will enable hackers to carry out illicit activities, ranging from robbing credit card details to purchasing items of their choice to stealing medical data, and so much more. Not only customers but organizations also have to face major financial loss. According to Akamai’s report, “the total cost associated with credential stuffing, including fraud-related losses, operational security, application downtime, and customer churn can range from 6 million to 54 million dollars annually.” How do businesses keep their customer login details safe? How would they know whether the login request is a legitimate one? As businesses fail to recognize the traffic coming in from a bad bot, they happen to give access to bad actors. Whom to blame? Is it organizations, who fail to distinguish a legitimate person from a software program, or is it customers who do not set strong and unique passwords? Well, actually both. But considering the organization’s angle, credential stuffing attack is so stealthy that it requires sophisticated tools to spot and guard against it. Fortunately, credential stuffing attacks are not carried out manually. This is probably one of the best chances to step in the battleground for defending against this attack. 

How to mitigate credential stuffing attacks? Over the past few years, hackers have evolved in carrying out malicious activities. Earlier, bots were programmed by simple scripts. These scripts were easily detectable by hunting down cookies. But as today’s sophisticated bots imitate the web browser, it becomes difficult for a bot management application to detect and distinguish between bad bots and good bots.

No alt text provided for this image

Similarly, credential stuffing attacks are difficult to detect. Organizations should, therefore, adopt advanced bot detection techniques like JavaScript challenge, device fingerprinting, and behavior-based detection systems.

  • JavaScript challenge - JavaScript codes are added to the HTML page of the browser. When the page is loaded, the JavaScript code also executes. The technique, JavaScript challenge is later used to detect if the traffic coming in is able to execute the JavaScript code. If the traffic is not able to execute the code, then it is considered as illegitimate. Such a technique solves the problem of sophisticated bots that emulates browsers.

  • Browser/Device/machine fingerprinting - Browser fingerprinting is one of the robust techniques that gather information about the browser. Every little information, right from its version to its type to active plugins to set language and font to other such characteristics is collected with the help of this method. A bot management solution will then easily monitor the browser fingerprint to detect malicious intent of the client. The solution can identify whether the client is actually a bot striving to trick an authorized browser.

  • Behavior-based detection systems - This is one of the most-sophisticated bad bot detection solutions. It accumulates and monitors customer inputs, behavior, and interactions, ranging from a mouse hover to keyboard strokes to site navigation to mouse clicks and so much more. This data is then fed to a bot management solution, which uses ML capabilities to identify a bad bot. For example, it is obvious that straight lines are difficult to be perfectly drawn with a mouse. Cases like this itself paints a story that the operator isn’t a human but a bot.

To successfully manage and prevent credential stuffing, not only organizations but also users should equally dip their feet in the ocean of responsibility. 

Share this article

Leave your comments

Post comment as a guest

terms and condition.
  • John Foley

    This is the era of hackers

  • Megan Crump

    We need a stronger cyber police

Share this article

Naveen Joshi

Tech Expert

Naveen is the Founder and CEO of Allerin, a software solutions provider that delivers innovative and agile solutions that enable to automate, inspire and impress. He is a seasoned professional with more than 20 years of experience, with extensive experience in customizing open source products for cost optimizations of large scale IT deployment. He is currently working on Internet of Things solutions with Big Data Analytics. Naveen completed his programming qualifications in various Indian institutes.

Cookies user prefences
We use cookies to ensure you to get the best experience on our website. If you decline the use of cookies, this website may not function as expected.
Accept all
Decline all
Read more
Tools used to analyze the data to measure the effectiveness of a website and to understand how it works.
Google Analytics