Recently a global financial organization was a victim of a data breach that exposed their customers’ personal information. On discovering the incident, as a countermeasure, the firm blocked online access to prevent future unauthorised entry to the impacted accounts. The information that hackers accessed included account information like account numbers, balances, transaction histories, and personal information like names, mailing addresses, phone numbers, and email addresses. Expert analysis of the incident concluded that the breach had all the characteristics of a “credential stuffing attack.”
What is a credential–stuffing attack?
Credential stuffing is the automatic injection of stolen username and password pairs (“credentials”) into website login forms to fraudulently access user accounts.
Since many users repeatedly use the same password and username/email, submitting those sets of stolen credentials to other websites can also enable an attacker to compromise those accounts. This can happen when those credentials are exposed (for example, by a database breach or phishing attack).
Credential stuffing is a subset of brute-force attacks. Multiple passwords will be tried against one or more accounts using brute force or password guessing. Using known (breached) login and password pairs against other websites are known as “credential stuffing.”
Now, let’s go back to the case study mentioned at the beginning.
The case study is intriguing because it highlights how vulnerable passwords are. The human factor will always be a vulnerability, even if a business has a strong password policy of routinely changing passwords, adding unique characters, etc., in place.
The financial organizaton’s account details could have been obtained by cybercriminals using various methods. One common way is using Dark Web resources to get password and login combinations. These illegal websites gather databases of credentials that have been stolen or leaked, and then they sell them to anyone willing to pay for them. A strong password will not prevent a credential stuffing attack because it uses the account’s legitimate password.
The industry has developed several defences against the threat of credential stuffing. Let’s discuss a few.
Multi-Factor Authentication (MFA)
The best safeguard against credential stuffing is requiring users to authenticate using something they have in addition to something they know. Attacker bots won’t be able to offer a physical authentication method like a phone or access token. It is often impractical to mandate Multi-Factor Authentication across an entire user base. Hence MFA should be combined with other methods.
Blocking or sandboxing IPs that attempt to log into numerous accounts is another useful defence because attackers often have limited IP addresses. To minimise false positives, you can keep track of the last few IPs used to access a particular account and compare them to the suspected malicious IP.
Rate-limit non-residential traffic sources
It is easy to identify traffic from commercial data centres, such as Amazon Web Services. This traffic should be handled considerably more carefully than that of regular users because it almost probably comes from bots. Set strict rate limitations and ban or block IPs that exhibit unusual behaviour.
Stop Using headless Browsers
Disallow email addresses as User IDs
The practice of “credential stuffing” depends on using the same usernames or account IDs across different services. This is far more likely to occur if the ID is an email address. Users are much less likely to use the same username and password combination on another website if you forbid them from using their email address as an account ID.
Skillmine helps businesses overcome all the authentication challenges by shifting away from the password paradigm through a unique solution, the Authenticator. It centralizes authentication and simplifies access management across multiple applications in an organization. Authenticator removes the need for users to remember and manage multiple passwords.