Neutralizing the Latest Cyber Attack: A Guide to Credential Stuffing Prevention

 


If you have watched any spy movies or movies where thieves are portrayed as heroes (there is no shortage of them, unfortunately), you might be familiar with the concept of a "master key." A master key is supposed to open a wide variety of locks, each of which has its own unique key.

The less glamorous and more practical application of master keys can be found in hotels and large residential buildings. The hotel or building manager has a master key that they can use to open any door if the original key is lost or they need to get in when the original key-holder isn’t available. And even though physical locks and keys are being replaced by electronic door locks and keycards, the concept of master keys is still there.

This concept of a master key can be used to explain credential stuffing.

1.      What Is Credential Stuffing?

2.      Credential Stuffing vs Brute Force vs Password Spraying

3. The Scope Of The Problem

4. How To Protect Your Business From Credential Stuffing Attack

5. 2FA or MFA

6. Unique ID/Password For Your Website

7. Unique Passwords And Password Manager

8. Bot Management

9. Finger-Printing User Devices

10. Blocking Headless Browsers

11. Keep An Eye On Stolen Credentials

12. Passwordless Authentication

13. Conclusion

 

What Is Credential Stuffing?

Imagine if you had one key for everything you own and interact with? Your home, car, your office locker, and even your safety deposit box. If a thief found that key and figured out that it belongs to you, you will be in a lot of trouble. They can enter your office, steal your car, break into your home, and get their hands on whatever valuables (or secrets) you are hiding in your safety deposit box.

That’s a personal safety nightmare, and that’s (in a way) what credential stuffing is for your cyber security

All of us have multiple online accounts. On average, people who use social media have about eight social media accounts. And that’s different from email accounts, bank accounts, work-related online accounts, e-commerce accounts, and accounts on other websites. In the US alone, an average email address is associated with about 130 online accounts. And with that comes the heart of the matter: The passwords.

Let’s say you have 50 online accounts. Do you use different passwords for all of them? Most people use the same password or a few passwords for all their online accounts. And if one of these online accounts is compromised and a hacker got hold of their email ID and password, it's like finding the online master key of that person (if they use the same email and password for their online accounts).

The hacker can try the email/password pair on all the sites you are likely to use, i.e., all major social media sites, all online bank accounts, major e-commerce sites, etc. You can imagine how much damage they can deal if you don’t figure it out and change your credentials at the right time. The damage can be something as mild as someone using your credentials for free streaming or as devastating as your financial or social records leaked online.

This is called credential stuffing. They stuff your credentials into every website (or rather, an automated program/bot does that). In 2018, most credential stuffing attempts were aimed at e-commerce sites.

Credential Stuffing vs Brute Force vs Password Spraying

Even though there is some overlap among these three cyber attacks, they are essentially different.

Brute force attacks usually take place when hackers have one piece of the puzzle, like a user id. They can then run an algorithm that will test different alphanumeric combinations to guess the password. Brute force attacks are why we are required to use long alphanumeric passwords.

If hackers get hold of a large number of user IDs or email accounts, let’s say employees of a company, they would run them all against some of the most common passwords, i.e., QWERTY, first/last names, 123456, etc. If even one of the users had set those passwords, hackers would have an entryway.

Credential stuffing is more targeted. And even though its chances of success are low (1% to 3%), when it works, it can be devastating for the victim (whether an individual or a business).

The Scope Of The Problem

Credential stuffing is a more serious problem than many people realize, and for several reasons.

1. It can be automated. Once a hacker has a few sets of email and passwords, a simple bot can be tasked with trying those sets on various sites.

2. Not every website has an air-tight cyber security. If you have online accounts on a hundred different websites, hackers need to breach only one to access your credentials. And a small e-commerce store might not have the cyber security resources of a big bank and might be an easy target for hackers. It's relatively easy for credentials to become compromised from websites with weak security.

3. The black market is flooded with credential data. According to an estimate, stolen account credentials go for $1 to $2 on the darknet. So even if your credentials are safe on your current online accounts, there is no guarantee that they haven’t already been compromised because of a website you signed-up for ages ago.

How To Protect Your Business From Credential Stuffing Attack

Even though it sounds like a very user-centric attack, credential stuffing attacks can have disastrous consequences for businesses as well. In 2018, Dunkin Donuts suffered a credential stuffing attack where the usernames and passwords of reward point accounts were compromised. In 2016, Uber suffered a data breach concocted with the help of credential stuffing, for which the UK Information Commission office fined the company £385,000.

There are several other examples as well, which is why you must ensure protection against credential stuffing. And remember, your staff's credentials can be just as much a source of a data breach as your users’.

2FA or MFA

Two Factor Authentication or Multi-Factor Authentication is one of the most tried and tested preventive measure against keyword stuffing. It adds another layer of protection over the password. The factor is usually one of three things:

·         Something you know (like a secret question)

·         Something you have (Like your phone, on which a code can be sent)

·          Something you are (A fingerprint)

By adding another layer to your business website’s login via credential stuffing, you can ensure that a hacker can’t get inside (and control) your user’s account, even if they have your user’s credentials, i.e., ID and password. Bots are unable to bypass these physical authentication methods. If you have the right tools in place, you can even catalogue the IP where all the login attempts which couldn't get around the 2FA was originated (so you can blacklist it after verification).

2FA and MFA also prevent businesses from password spraying. Multifactor authentication has a 99.9% probability of stopping credential stuffing attacks. But there is a problem. Even if you can make it compulsory for your employees, enforcing it on your entire user-base would be difficult. If you make it optional, a relatively small user-base (those who follow good cyber security habits) will opt for it. If you make it mandatory, a lot of your users might simply go to your competitor, just because of how difficult it is to log in to your site.

A middle course is to enforce 2FA only in certain conditions, i.e., when a login attempt is made from an unknown device, location, or IP address. Or an IP address that’s in a known blacklist or has already attempted multiple user logins. This will be safer and more feasible for your users.

Unique ID/Password For Your Website

You can ask your users to create unique IDs, at least IDs that are not based on their email addresses or first/last name. But that's a weak layer of protection because, with a unique user ID requirement, most people opt for logging-in through an email address. And a complicated password can be reusable as well. In fact, a lot of people create one very complicated password and use it on multiple sites. One thing you can do is to run the password your user is setting against known compromised passwords, and give them a warning if it is and ask them to select a different password.

This can add you from the past but not from the future (when they start using the password they set for your site everywhere). Sending periodic reminders for password chances is also a good practice.

Unique Passwords And Password Manager

This solution is more oriented towards users who take cyber security seriously compared to businesses. But it’s important to know anyway. Unless they have an eidetic memory, users don’t and can’t remember as many passwords as they usually have an account. So asking them to create a unique password for every website is out of the question. But they can be nudged towards using a password manager (free or paid). A password manager keeps and store unique passwords (and IDs) for all of your online accounts and can be accessed by one master password/key.

This way, a user only has to remember one complex password, yet they can set unique and complex passwords for each online account and stay safe from credential stuffing. And even though trusting one software with nearly all the online access and credentials seems like putting all the eggs in one basket, it's a better and more practical solution than many others.

Bot Management

Since most credential stuffing happens with the help of bots (no hacker worth their salt will try stolen credentials on hundreds of sites one at a time), bot management is an essential line of defence. It’s a bot manager’s job to identify whether a login request is initiated by a human or a bot. This differentiation can be complicated, especially when a login attempt doesn't raise any red flags. Decent bot managers differentiate human and bot by understanding behaviour patterns.

If a bot login attempt is identified, a bot manager can use CAPTCHA to thwart the login attempts. Learning algorithms in place and bot manager's access to the list of blacklisted IPs (and the ability to create such a list by itself) can also help it prevent your business from credential stuffing.

Finger-Printing User Devices

Another way to identify whether a login attempt is coming from a legitimate user or a bot is to fingerprint user devices at the time of sign up. The “fingerprinting” is done by identifying the user’s browser, operating system, screen resolution, installed fonts, and even in some cases, the plugins the user has installed on their browser. Once fingerprinted, your website can remember where the signup or usual logins come from.

And if the same credentials are entered by a device that’s not fingerprinted, your system can trigger 2FA or use another method to verify whether it’s the legitimate user or not. Once they do that, you can fingerprint that device as well and associate it with the user. This is important because most people nowadays use multiple devices to access their online accounts (usually a mobile phone and a computer).

Blocking Headless Browsers

Headless browsers don't have a Graphical User Interface, so they don't convey the information necessary to fingerprint a device. Unless they are highly paranoid about cyber security, your users are unlikely to use headless browsers, and a bot is most likely using them for credential stuffing or another kind of credential-based attack. Blocking headless browsers right away can help thwart some of the credential stuffing attacks.

Keep An Eye On Stolen Credentials

For sizeable enough organizations, another way to prevent credential stuffing attacks is to routinely monitor whether the credentials you have of your users are compromised or not. They might not have been compromised on your site, but if even if their credentials are stolen from any other site as well, your user compromised either way. Once you identify such users, you can force them to change their passwords and recommend 2FA to prevent future mishaps.

Passwordless Authentication

It's a futuristic solution to the keyword stuffing attacks, which hasn't been widely developed or implemented yet. It leverages a cryptographic keypair and generates two keys for the user: A public and a private key. The public key goes to the website login, while the private key is tied to the device. This key can be used/accessed via an authentication factor like voice recognition or fingerprint. The user can only log in when they have both keys. It technically falls under MFA but is considered more secure.

Conclusion

According to Akamai, 26.95 billion credential stuffing attempts happened in the first quarter of 2020 alone. That’s over 250% more than 2019's first quarter, which points towards a simple fact, and it's that credential stuffing isn't going anywhere. You need to protect your business and your users from this malicious cyber attack by taking the necessary precautions. Whether you have an extensive user-base or a limited one, a single weak link might be enough for hackers to pry your cyber security door open and get in. To ensure that you are well protected, make sure your cyber security team is equipped with the right tools and have taken the necessary measures. A smarter way would be to consult with cyber security vendors with expertise in that area. They would be familiar with both the most advanced attack tactics and the best defence practices. You can find and compare some of the best cyber security vendors on the planet using a powerful aggregator service like Cyberpal


Comments

Post a Comment

Popular posts from this blog

Innovative Cyber Security Comparison Platform Suits All Businesses

In a world dominated by technology the average person is more than aware of the dangers a cybersecurity attack can pose, we rely on complicated secure networks with almost every aspect  of our daily lives and in business, the risk is always advancing. It’s commonplace now for businesses to backup valuable data which normally consists of  contacts, calendars and documents but how much attention is given to how a business could  operate without this valuable data in the event of a cyber attack. This risk is now being heightened  due to the number of mobile devices used by the average SME and with instant communications  on the move being part of our everyday hectic work lives it’s a serious issue that calls for more  complicated tailored security solutions. The National Cyber Security Centre (NCSC) part of the governments' cyber communications  monitoring arm GCHQ advises that if you are a small and medium enterprise (SME) you have a 1  in 2 ch...
Read more

Is AI a Double-Edged Sword In Cybersecurity?

Image
Whether you consider it good or bad, Artificial Intelligence (AI) is the next stage of our technical evolution. Like major technological advances before (electricity, computers, the internet), AI will usher new changes and impact almost every facet of our everyday life. In fact, we can already see AI's impact on social media marketing, search engines like Google that keep on learning from our search patterns and behaviours, and in   improved healthcare . It’s safe to say that AI’s intervention in   our societies  and our lives will be more far-reaching than we now realize, and cybersecurity is no exception. AI and Cybersecurity Right now, AI’s overlap with cybersecurity is fairly limited. It’s used by both cybersecurity and information security professionals to improve their security systems and prepare for the next generation of cyberattacks. The attack surface of enterprises, i.e., all the avenues where a cyberattack can come from, is expanding quite rapidly. The more a...
Read more

How to Deal with Open Source Vulnerabilities?

Image
  The use of open source is on the rise, and as it grows, the use of proprietary software is becoming less and less common, and as per an old Gartner study, about 80% of mobile software was open source. The software industry would not have been what it is without open source software and resources, and innovation of coders worldwide, sustaining everything, from the most rudimentary apps to behemoth software alive and relevant, without costing the user additional money. We owe a lot to open source, especially cybersecurity, where the use of enterprise open source is higher than anywhere else. But that might comes with an Achilles heel. Open Source Vulnerabilities – A Vast Ocean Of Cybersecurity Threats Let’s say you need custom software developed for your business. You have an amazing in-house team of coders, you've given them plenty of time, and thanks to the nature of the software, they have to code everything from scratch. If your developers stick to the best programming,...
Read more