Cybersecurity: 4 Proven Methods to Prevent Credential Staffing

Credential stuffing is an emerging security threat that involves bots making high-volume login attempts with stolen user credentials to execute catastrophic account hijacking and takeovers.

Password reuse is what enables credential stuffing attacks. 

Credential stuffing attack forced Reddit to reset their user passwords. The company locked users’ account and implored them to reset their passwords and employ a two-way authentication security method. Just the beginning of 2019, and we see a cyber-attack already.

Hackers are hungrily waiting for customer data. We know this sad truth, yet most of us fail to follow a good Internet practice. Often we see warnings popping up while setting up a new account on any login page, which alerts us about the strength of the set passwords. Ignoring all the warnings, most of us still use the same credentials across multiple accounts or just enter the simplest password, say 123456. These poorly-crafted login credentials become one of the ways for malicious actors to execute their illegal activities. Let’s explore how:

What is credential stuffing? When a data breach occurs, customer’s personal identifiable information is being compromised, which includes their login credentials also. Take the example of Linkedin’s 2012 security incident. In the wake of this security breach, the company lost 167 million account credentials.

The spilled credentials are then used by hackers to execute their malicious agenda. They simply set an algorithm or design bots to test these breached credentials on a series of online applications. Due to the majority of reused and poor passwords, there is always a probability of 2 percent success rate for account takeovers.

Successful logins will enable hackers to carry out illicit activities, ranging from robbing credit card details to purchasing items of their choice to stealing medical data, and so much more. Not only customers but organizations also have to face major financial loss. According to Akamai’s report, “the total cost associated with credential stuffing, including fraud-related losses, operational security, application downtime, and customer churn can range from 6 million to 54 million dollars annually.” How do businesses keep their customer login details safe? How would they know whether the login request is a legitimate one? As businesses fail to recognize the traffic coming in from a bad bot, they happen to give access to bad actors. Whom to blame? Is it organizations, who fail to distinguish a legitimate person from a software program, or is it customers who do not set strong and unique passwords? Well, actually both. But considering the organization’s angle, credential stuffing attack is so stealthy that it requires sophisticated tools to spot and guard against it. Fortunately, credential stuffing attacks are not carried out manually. This is probably one of the best chances to step in the battleground for defending against this attack.

How to mitigate credential stuffing attacks? Over the past few years, hackers have evolved in carrying out malicious activities. Earlier, bots were programmed by simple scripts. These scripts were easily detectable by hunting down cookies. But as today’s sophisticated bots imitate the web browser, it becomes difficult for a bot management application to detect and distinguish between bad bots and good bots.

Similarly, credential stuffing attacks are difficult to detect. Organizations should, therefore, adopt advanced bot detection techniques like JavaScript challenge, device fingerprinting, and behavior-based detection systems.

• JavaScript challenge - JavaScript codes are added to the HTML page of the browser. When the page is loaded, the JavaScript code also executes. The technique, JavaScript challenge is later used to detect if the traffic coming in is able to execute the JavaScript code. If the traffic is not able to execute the code, then it is considered as illegitimate. Such a technique solves the problem of sophisticated bots that emulates browsers.
  
  
• Browser/Device/machine fingerprinting - Browser fingerprinting is one of the robust techniques that gather information about the browser. Every little information, right from its version to its type to active plugins to set language and font to other such characteristics is collected with the help of this method. A bot management solution will then easily monitor the browser fingerprint to detect malicious intent of the client. The solution can identify whether the client is actually a bot striving to trick an authorized browser.
  
  
• Behavior-based detection systems - This is one of the most-sophisticated bad bot detection solutions. It accumulates and monitors customer inputs, behavior, and interactions, ranging from a mouse hover to keyboard strokes to site navigation to mouse clicks and so much more. This data is then fed to a bot management solution, which uses ML capabilities to identify a bad bot. For example, it is obvious that straight lines are difficult to be perfectly drawn with a mouse. Cases like this itself paints a story that the operator isn’t a human but a bot.

To successfully manage and prevent credential stuffing, not only organizations but also users should equally dip their feet in the ocean of responsibility. Here are 4 proven methods to prevent credential staffing. 

1. Use Unique and Strong Passwords For Every Account

Crafting hard-to-crack passwords might be an annoying task, but it has now become the need of an hour. Never ever set a password that contains birthdates, anniversary dates, or simply your name. Hackers can easily find this information with a little digging. Ensure that the passwords are 8-10 characters long. Always use a combination of a wide variety of character types, including uppercase and lowercase letters, numbers, special characters, spaces or underscores, and so on. Then you can keep your passwords safe by using a self hosted password manager. It lets you host your passwords in your own server on your own network, behind your own firewalls, and on your own network.

2. Do Not Share Your Email Address in Sign Ups and Store Passwords with a Password Manager Application

Employees should refrain from using their corporate email address to sign up for websites. Don’t store passwords at places in your computer system where it can be easily viewed and accessed by hackers. Also, never say out your passwords loud to anyone. Start using a password manager application, that allows you to store, manage, and secure passwords for multiple accounts. These passwords are stored in an encrypted manner, which means that all your passwords are safe and secure. But, the only thing you need to keep in mind is to have a very strong password for your password manager application.

3. Protect Your Accounts With Two-Way Authentication

Two-way authentication method is one of the most powerful ways to mitigate the risks of attacks. You enter the login credentials, wait for the code sent to your email address or phone number, and then input the same code. Such a validation methodology double verifies the user, thus making hacker’s job difficult.