Data breaches and their immediate impact on the organization are widely publicized. But what happens after the breach, especially with the breached credentials such as usernames and passwords? The breached credentials are often sold in the black market or leveraged by the attacker to attack the same or other organizations. When these stolen credentials are reused on different websites, it is known as credential stuffing. Credential stuffing attacks are prevalent bot-based threats today but preventable with the right measures and security controls.
This article deep dives into credential stuffing and ways to stop and mitigate these attacks.
Credential stuffing is a type of cyberattack wherein attackers leverage automated tools/ botnets to inject pre-collected credentials (stolen in a breach or bought from the dark web) to gain access to the user accounts of the same or another organization.
Credential stuffing is easy to execute and tends to have a high success rate. Many users tend to use the same login credentials across multiple platforms. So, if the attacker cracks the username password of one such account, they can compromise the other accounts.
Another reason why credential stuffing attacks are so easy to execute is that massive volumes of compromised credentials are readily available. While attackers can buy them, breach credentials are also openly available in plaintext on the dark web.
The attacker adds the list of stolen/ purchased credentials to a botnet/ automated tool. The botnet/ automated tool automates trying the credential pairs on various websites at once while using different IP addresses.
The botnet/ automated tool identifies website(s) where the set of compromised credentials works. Automation reduces the need for the attacker to log into a single service repeatedly. The attacker monitors successful logins and engages in malicious activities such as
Despite having similarities, credential stuffing is different from brute force attacks. The main difference is that attackers attempt to guess credentials without any context or data from previous breaches. Attackers may change characters, numbers, etc., or use random strings, guessable passwords, etc., in cracking the credentials.
One of the best credential stuffing defenses is multi-factor authentication. MFA requires users to perform additional authentication steps to prove that they are a legitimate entity and not a bot or attacker trying to access the account. Requiring the user to enter an OTP sent to a pre-registered phone number is one of the best ways to authenticate the user.
Implementing MFA may not be feasible in all cases as it can be disruptive to business. So, it is used in combination with other measures such as device fingerprinting, enabling MFA automatically for users determined to be at greater risk, and so on.
The easiest credential stuffing prevention measure is strictly imposing a strong password policy.
For instance, BFSI organizations typically allow a maximum of 3-5 failed login requests before freezing the user account without exception. So, the user must go to a branch to reactivate the account. In other sectors, even if the accounts cannot be frozen, you can set a timeframe for failed logins and intimate the user to reset their password.
CAPTCHA is a great way to reduce the effectiveness of credential stuffing attacks. It must be used in combination with other means and used intelligently to challenge the traffic since it can be disruptive for the business.
Credential stuffing can also be prevented by using device fingerprinting. Create a fingerprint for each session through information such as language, OS, browser, time zone, etc., collected from user devices. If the same combination of parameters is used several times in sequence for logging in, it is probably an attack. You can then engage in IP blocking, temporary bans, etc., for the fingerprint.
Conclusion
Credential stuffing, a bot-based attack, can be stopped and mitigated effortlessly if you invest in a comprehensive, intelligent, managed bot management and security solution like AppTrana.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.
This post was last modified on August 2, 2023 09:23
A Managed WAF is a comprehensive cybersecurity service offered by specialized providers to oversee, optimize,… Read More
Explore crucial tactics like Asset Inventory, Patch Management, Access Control & Authentication, and additional best… Read More
Delve into the data privacy questions including consent protocols, data minimization strategies, user rights management,… Read More
