Anatomy of Credential Stuffing Attacks
Credential stuffing is the automated injection of usernames and passwords – usually generated from security breaches – to access various user accounts. In credential stuffing, the usernames or emails and their passwords are stolen from one service for use in others. The attack is entirely based on the pre-assumption that human beings, in their simple and predictable nature, would re-use passwords across their multiple accounts.
For example, a hacker might breach the databases of a department store, accessing email addresses and passwords of individual customers. With that information, he/she may proceed to use those credentials to attempt entry to bank accounts. The odds depend on how many of the stolen accounts have bank accounts with the same password, but, with the prominence of cybercrime, it’s a risk hackers are willing to take.
How is Credential Stuffing Different from Brute Force Attacks?
Credential stuffing is a subset of brute force attacks. Brute forcing is a cryptographic hack that uses the trial-and-error method to guess the possible combinations of an account’s password. Longer passwords are a bit tricky to narrow down, but software tools like bots hasten the process, completing it in a matter of seconds and more conveniently than any human could do in years. On the other hand, credential stuffing does not attempt any brute force mechanisms. It merely uses credentials that have been obtained from other cybercrimes – phishing, lists of previously stolen passwords, etc. – to proceed. In popular slang, phishers and brute force attackers ran so that credential stuffers could walk.
How Effective is Credential Stuffing?
The simple answer is no, it is not so effective. It would be unwise, however, to disregard the practice altogether. Statistical estimations show that credential stuffers have a roughly 0.1-0.2% success rate. This means that only one or two will succeed out of every thousand username-password or email-password combinations. The low success rate does not imply that we are out of the woods just yet, though. You could be the one out of the thousand that was harmed.
Your credentials could also be used on several other websites and services to which you have subscribed. Once they’re in your account, the hackers may take it over, potentially using it to further their scams. If not identified and shunned, credential stuffing could end up destroying your reputation and placing you on the authorities’ radar. You wouldn’t want to risk that, right?
Below are the safety precautions to take in order to stay safe from the consequences posed by credential stuffing.
Why Credential Stuffing Persists Without Definite Reward
Below are some of the primary reasons that credential stuffing persists as a route for hackers and why it is progressively becoming a preferred method of attack.
People tend to re-use passwords
Let’s be honest. It is difficult to have multiple unique passwords for different accounts. Defeatedly clicking on “Forgot my password” links on numerous sites and having to reset access is a gruesome task.
Low-cost entry and high returns
Credential stuffing is a game of numbers, and, if I say so myself, a potentially profitable one. Programmed bots could run up to 100,000 credentials in minutes, and, even though the success rate is one in a thousand, with all those credentials, we still end up with 100 valid accounts. Suppose out of those accounts, 20 people have the same password as their bank account. The hackers could steal so much more than they used to set up the programs to run their bots.
It’s gaining popularity due to higher numbers of attack reporting
OWASP reports on a series of high-profile credential stuffing attacks that focused on large-scale businesses. Among them were the Sony breach, the Yahoo and Dropbox breach, and the JPMC breach.
Username-password remains a standard access identity mechanism
All existing systems and all others to come have one constant standard by which they all abide. Even in systems that use extra features, like biometric access and 2FA, the username-password protocol is always certain. Unfortunately, user authorizations that verify what the user ‘knows’ are at a higher risk of attacks than authorizations based on what the user ‘is.’
How to Keep Safe from Credential Stuffing
Far too often, credential stuffing succeeds because of poor human behavior, so let’s compare mitigation tactics for personal accounts, corporate users, and corporate services.
Personal accounts
Personal user safety mechanisms are pretty straightforward. All you have to do is NOT use a similar password across all websites. The most convenient and easy way to keep track of them is by using password managers. Even if one of your accounts gets compromised, you will rest easy, knowing there won’t be a domino effect impacting your other accounts. It is a good idea to incorporate two-factor authentications for various accounts when it is an available option.
Corporate users
Corporate users can rely on similar methods as with personal accounts, however, for security departments, it is risky to just rely on their employees’ skills and efforts. The best and most important approach is to educate users. The only roads to success are raising awareness and providing the best practices for password strength, multi-factor usage, and using company-related accounts. Education is not sufficient, though, as accounts relating to corporate users may contain critical business or personal data, so their protection should be prioritized the same way local accounts and services are. Corporate password managers may be a great tool to help out individual efforts, but it is necessary to have visibility and control of how accounts and passwords are actually used by employees.
Corporate services
For companies, the process is more robust and demanding, considering they run authentications for customers. The organization could suggest to their customers that they should use new and different passwords, but they cannot enforce the rule. Another measure standard for enterprises is employing two-factor authentication for critical account access. Captcha fill-outs also help identify real users instead of bots programmed to break into systems. It is worth mentioning that a company victimized by credential stuffing does not necessarily pass for one whose security has been compromised. All secure protocols could be implemented perfectly, but a hacker might still be able to attack you personally by posing as you, with all the relevant requirements for access.
These are the strongest protection methods for businesses in regards to credential stuffing so far:
- Bot management - Companies are buying bot management services that use rate-limiting and non-residential IP traffic to stop bots from impersonating real customers.
- IP blacklisting – Any group of hackers will have a limited pool of IP resources. Another effective countermeasure to stuffing attempts is sandboxing IP addresses that try to log into more than one account. A company can also monitor previous IP addresses that have been accessing an account and possibly filter out a bot suspected to be a bad IP.
- Stop using user addresses as user ID – This is the simplest one, yet so important. As explained in the introduction, credential stuffing almost certainly preys on the use of similar account identifiers across websites. Most web-hosted services will require emails as IDs because they are unique to every person. Preventing users from using their emails as IDs at your company will significantly reduce the chances of them re-using user/password combinations.
About Scirge
Scirge provides a unique approach to unveil and gain control over unmanaged third-party web accounts. Scirge tracks the websites employees use corporate email addresses to register on and log in to. Having a central dashboard of discovered accounts helps to reduce the risk of credential-related threats such as password reuse or account takeover (ATO). Scirge gives a level of control over SaaS usage to overcome Shadow IT. It also helps to ensure that your company complies with GDPR, CCPA, and other audit requirements.