Editor's note: This post was originally published in September 2021 in Threatpost.
Data breaches and hacking put internet users at risk of account takeover, if cyber-criminals successfully gain access to valid login credentials. There are reckoned to be in excess of 8.4 million discrete passwords currently circulating online, over 3.5 billion of which are tied to active email addresses.
Every data breach that exposes usernames and passwords creates more assets to be sold on the dark web, and used in scripts to fuel credential stuffing activities.
Credential stuffing is a cyber-attack mechanism that relies on brute force, but eliminates the need for hackers to spend time and resources trying to guess individual passwords. Instead, they can turn to lists of valid credentials that have been uncovered through data breaches in other platforms.
Unfortunately, many people still tend to reuse their passwords and security verification questions across a range of web sites. So using credentials exposed by a data breach, cyber-criminals can enjoy a higher success rate and reduced effort in their attempts to gain access to existing accounts.
To assist them, an entire underground economy has emerged, selling specialist tools and stolen personal data to fuel automated credential stuffing campaigns. Automated bots and scripts are popular with perpetrators of online fraud, as the automation enables them to maximize their investment returns and achieve wider coverage in their account takeover attempts. Sophisticated bots are capable of bypassing many fraud prevention solutions.
Some perpetrators hire cheap human labor, for staging larger scale account takeover attacks. These human operatives can more easily work around fraud protection measures, such as Captchas, designed to identify bots. They can provide the required level of human interaction needed to deal with these challenge-response mechanisms.
Likewise, hacker intervention can occasionally circumvent standard authentication measures for blocking account takeover fraud. For instance, multi-factor authentication (MFA) routines that require users to respond to a one-time password (OTP) or SMS text code can be intercepted or delayed, using the right tools.
These issues are having a significant impact. The security and content delivery organization Akamai detected 193 billion credential stuffing attacks worldwide, in 2020. A single day saw over one billion assaults, in a year in which the financial services industry suffered 3.45 billion credential stuffing attacks.
Financial services are a prime target for credential stuffing and account takeover attacks. Successful perpetrators can go on to siphon funds from existing user accounts, commit credit card fraud, extort enterprises, and other nefarious activities. But the damage isn’t limited to the finance sector.
In its State of Secure Identity report for 2021, Auth0 reveals that credential stuffing accounted for 16.5% of login attempts on its platform during the first three months of the year. Their report notes that the top two industries most affected by credential stuffing attacks are retail, and the combined sector of travel and leisure. Application Programming Interfaces (APIs) are major targets for credential stuffing attacks since they provide a convenient channel for automated traffic.
It’s worth noting that, during the first 90 days of 2021, breached passwords were detected at an average of more than 26,600 per day. Their extreme vulnerability is making passwords largely redundant as an effective security measure.
There’s no single “magic bullet” to remedy the issues of credential stuffing and account takeover. Rather, the solution must come from a judicious mix of techniques and cybersecurity best practices. This includes:
Attackers often configure their credential stuffing tools to imitate the behavior of legitimate users, and employ proxies to distribute their access requests across different IP addresses. One possible sign of an assault is a marked increase in login failure rates over a short time period.
This should be mandatory for all high-risk use cases, such as user accounts that have recorded a suspiciously high number of failed login attempts. It should be noted, as discussed above, 2FA can be bypassed so can’t be relied upon on its own.
Organizations should continuously monitor the internet for public disclosures of data breaches and exposed email addresses. All compromised accounts should be earmarked for mandatory password reset and two-factor authentication moving forward.
Account holders should be encouraged to use reputable password management software. These platforms typically provide tools for generating truly strong passwords and negate the need to reuse passwords. They also eliminate the need for users to have to remember them - a standard objection to strong password implementation.
It is vital to authenticate the app as well as the user, in order to control access to your back end services and prevent brute force attacks from bots or scripts. Alongside 2FA, this can provide a very effective barrier to scripted attacks.
The Zero Trust framework requires all account holders or users of a platform to undergo authentication, authorization, and continuous validation before gaining access to applications and data. If user credentials don't work inside scripts, hackers will soon get bored of stealing them. This is the real solution to prevent data breaches - reduce the value of the data to zero.
Approov CEO David Stewart sums it all up this way:
“Credential stuffing attacks, utilizing user names/passwords extracted from unconnected data breaches, are one of the most common account takeover mechanisms. The simplest way to prevent such exploits is to ensure that user names/passwords on their own are not enough to gain access to back end systems.
Adding a requirement for appropriate and independently verified additional factors (eg 2FA, biometrics, app authentication) to gain access to your servers will make your business dramatically less likely to suffer account takeover attacks.”