Credential stuffing is an emerging security threat that involves bots making high-volume login attempts with stolen user credentials to execute catastrophic account hijacking and takeovers.
Password reuse is what enables credential stuffing attacks.
Credential stuffing attack forced Reddit to reset their user passwords. The company locked users’ account and implored them to reset their passwords and employ a two-way authentication security method. Just the beginning of 2019, and we see a cyber-attack already.
Hackers are hungrily waiting for customer data. We know this sad truth, yet most of us fail to follow a good Internet practice. Often we see warnings popping up while setting up a new account on any login page, which alerts us about the strength of the set passwords. Ignoring all the warnings, most of us still use the same credentials across multiple accounts or just enter the simplest password, say 123456. These poorly-crafted login credentials become one of the ways for malicious actors to execute their illegal activities. Let’s explore how:
What is credential stuffing? When a data breach occurs, customer’s personal identifiable information is being compromised, which includes their login credentials also. Take the example of Linkedin’s 2012 security incident. In the wake of this security breach, the company lost 167 million account credentials.
The spilled credentials are then used by hackers to execute their malicious agenda. They simply set an algorithm or design bots to test these breached credentials on a series of online applications. Due to the majority of reused and poor passwords, there is always a probability of 2 percent success rate for account takeovers.
Successful logins will enable hackers to carry out illicit activities, ranging from robbing credit card details to purchasing items of their choice to stealing medical data, and so much more. Not only customers but organizations also have to face major financial loss. According to Akamai’s report, “the total cost associated with credential stuffing, including fraud-related losses, operational security, application downtime, and customer churn can range from 6 million to 54 million dollars annually.” How do businesses keep their customer login details safe? How would they know whether the login request is a legitimate one? As businesses fail to recognize the traffic coming in from a bad bot, they happen to give access to bad actors. Whom to blame? Is it organizations, who fail to distinguish a legitimate person from a software program, or is it customers who do not set strong and unique passwords? Well, actually both. But considering the organization’s angle, credential stuffing attack is so stealthy that it requires sophisticated tools to spot and guard against it. Fortunately, credential stuffing attacks are not carried out manually. This is probably one of the best chances to step in the battleground for defending against this attack.
How to mitigate credential stuffing attacks? Over the past few years, hackers have evolved in carrying out malicious activities. Earlier, bots were programmed by simple scripts. These scripts were easily detectable by hunting down cookies. But as today’s sophisticated bots imitate the web browser, it becomes difficult for a bot management application to detect and distinguish between bad bots and good bots.
To successfully manage and prevent credential stuffing, not only organizations but also users should equally dip their feet in the ocean of responsibility. Here are 4 proven methods to prevent credential staffing.
Crafting hard-to-crack passwords might be an annoying task, but it has now become the need of an hour. Never ever set a password that contains birthdates, anniversary dates, or simply your name. Hackers can easily find this information with a little digging. Ensure that the passwords are 8-10 characters long. Always use a combination of a wide variety of character types, including uppercase and lowercase letters, numbers, special characters, spaces or underscores, and so on. Then you can keep your passwords safe by using a self hosted password manager. It lets you host your passwords in your own server on your own network, behind your own firewalls, and on your own network.
Employees should refrain from using their corporate email address to sign up for websites. Don’t store passwords at places in your computer system where it can be easily viewed and accessed by hackers. Also, never say out your passwords loud to anyone. Start using a password manager application, that allows you to store, manage, and secure passwords for multiple accounts. These passwords are stored in an encrypted manner, which means that all your passwords are safe and secure. But, the only thing you need to keep in mind is to have a very strong password for your password manager application.
Two-way authentication method is one of the most powerful ways to mitigate the risks of attacks. You enter the login credentials, wait for the code sent to your email address or phone number, and then input the same code. Such a validation methodology double verifies the user, thus making hacker’s job difficult.
One of the basic ways to defend against credential stuffing attacks is to set unique passwords and to change it regularly. Never use the same passwords across multiple accounts.
So far, we have seen different sophisticated bot detection techniques available already in the market. We have improved technologies for enhancing cybersecurity, no doubt. But unfortunately, hackers’ endeavors to carry out awful activities will never cease. Hence, while crafting a bot management strategy, organizations should first and foremost consider the existing and upcoming bad bot activities and landscape to stay ahead of malicious acts. Having a holistic cybersecurity approach will not only secure organizations from bad actors but will help them build strong customer relationships too.
Naveen is the Founder and CEO of Allerin, a software solutions provider that delivers innovative and agile solutions that enable to automate, inspire and impress. He is a seasoned professional with more than 20 years of experience, with extensive experience in customizing open source products for cost optimizations of large scale IT deployment. He is currently working on Internet of Things solutions with Big Data Analytics. Naveen completed his programming qualifications in various Indian institutes.