5 Tips for Credential Stuffing Prevention
Data breaches and their immediate impact on the organization are widely publicized. But what happens after the breach, especially with the breached credentials such as usernames and passwords? The breached credentials are often sold in the black market or leveraged by the attacker to attack the same or other organizations. When these stolen credentials are reused on different websites, it is known as credential stuffing. Credential stuffing attacks are prevalent bot-based threats today but preventable with the right measures and security controls.
This article deep dives into credential stuffing and ways to stop and mitigate these attacks.
A Deep Dive into Credential Stuffing
Credential stuffing is a type of cyberattack wherein attackers leverage automated tools/ botnets to inject pre-collected credentials (stolen in a breach or bought from the dark web) to gain access to the user accounts of the same or another organization.
Credential stuffing is easy to execute and tends to have a high success rate. Many users tend to use the same login credentials across multiple platforms. So, if the attacker cracks the username password of one such account, they can compromise the other accounts.
Another reason why credential stuffing attacks are so easy to execute is that massive volumes of compromised credentials are readily available. While attackers can buy them, breach credentials are also openly available in plaintext on the dark web.
How does Credential Stuffing Attacks Work?
The attacker adds the list of stolen/ purchased credentials to a botnet/ automated tool. The botnet/ automated tool automates trying the credential pairs on various websites at once while using different IP addresses.
The botnet/ automated tool identifies website(s) where the set of compromised credentials works. Automation reduces the need for the attacker to log into a single service repeatedly. The attacker monitors successful logins and engages in malicious activities such as
- Extract sensitive information
- Transfer funds
- Engage in identity thefts and brand impersonations
- Corporate/ institutional espionage
- Commit e-commerce fraud
- Sell access to newly compromised accounts
Credential Stuffing vs. Brute Force Attacks
Despite having similarities, credential stuffing is different from brute force attacks. The main difference is that attackers attempt to guess credentials without any context or data from previous breaches. Attackers may change characters, numbers, etc., or use random strings, guessable passwords, etc., in cracking the credentials.
Credential Stuffing Attack Prevention: Effective Ways
Multi-Factor Authentication (MFA)
One of the best credential stuffing defenses is multi-factor authentication. MFA requires users to perform additional authentication steps to prove that they are a legitimate entity and not a bot or attacker trying to access the account. Requiring the user to enter an OTP sent to a pre-registered phone number is one of the best ways to authenticate the user.
Implementing MFA may not be feasible in all cases as it can be disruptive to business. So, it is used in combination with other measures such as device fingerprinting, enabling MFA automatically for users determined to be at greater risk, and so on.
Enforce a Strong Password and Authentication Policy
The easiest credential stuffing prevention measure is strictly imposing a strong password policy.
- Use password managers to generate unique usernames and strong passwords
- Require users to create different passwords for different accounts
- Set a strict limit on the number of failed authentication requests
For instance, BFSI organizations typically allow a maximum of 3-5 failed login requests before freezing the user account without exception. So, the user must go to a branch to reactivate the account. In other sectors, even if the accounts cannot be frozen, you can set a timeframe for failed logins and intimate the user to reset their password.
- Use credential hashing for usernames, passwords, etc., stored in your database. Credentials must never be stored in plaintext.
- Keep monitoring public data dumps to check if breached email addresses and credentials are present in your database. If so, enforce password reset and MFA for those users.
CAPTCHA is a great way to reduce the effectiveness of credential stuffing attacks. It must be used in combination with other means and used intelligently to challenge the traffic since it can be disruptive for the business.
Credential stuffing can also be prevented by using device fingerprinting. Create a fingerprint for each session through information such as language, OS, browser, time zone, etc., collected from user devices. If the same combination of parameters is used several times in sequence for logging in, it is probably an attack. You can then engage in IP blocking, temporary bans, etc., for the fingerprint.
- Rate Limiting based on geography, originating data centers, etc.
- IP Blacklisting based on threat intelligence and insights from granular traffic analysis
- Block Headless Browsers
Credential stuffing, a bot-based attack, can be stopped and mitigated effortlessly if you invest in a comprehensive, intelligent, managed bot management and security solution like AppTrana.