Credential stuffing attacks are becoming increasingly common, leading to financial harm and reputational damage for businesses. Dan Woods, VP, Shape Intelligence Center at F5, shares five key strategies to help enterprises defend against them and keep their customers safe.
It is not surprising that online privacy is a universal concern. Multiple reports note that In 2020 alone, more than 30 billion records were compromised, which is more than the numbers from the past 15 years combined. Cybercriminal gangs leverage these stolen records in automated credential stuffing attacks designed to take over user accounts using leaked or stolen credentials. Once attackers gain access, they can sell the accounts, harvest company and customer data, or steal money and points from loyalty accounts, causing financial harm and reputational damage to businesses.
According to the 2021 Credential Stuffing Report from F5 Labs, more than 80% of hacking-related breaches involve brute force or the use of lost or stolen credentials. And with the number of data breaches trending upwards, it’s clear that both customers and the businesses they interact with are facing an identity problem that’s not going away anytime soon.
Let’s look at how these attacks work and why they can be challenging to defend against.
How Does Credential Stuffing Work?
The number of credential spill incidents nearly doubled from 2016 to 2020. And once those credentials are out in the wild, anyone from a criminal gang to a kid in a basement can use them to launch credential stuffing attacks. The problem is not just that credentials are vulnerable to disclosure, but that most users don’t change their passwords even after being notified that they have been compromised. This is a dream scenario for an attacker.
Once the attacker has a set of credentials, they use free or low-cost tools to automate the process of trying millions of username and password combinations on web and mobile applications. Some of these—like Sentry MBA, a simple point-and-click attack tool that fires off username/password combos—work by simulating network traffic, while other, more sophisticated toolkits like Puppeteer and Browser Automation Studio attempt to simulate a browser and even human behavior.Â
However, there’s a limit to how closely attackers can mimic human behavior, and cybercriminals often turn to actual humans to help them bypass antibot defenses. This manual fraud is more expensive than automated fraud, but it can be worth it if the attacker has a good set of freshly spilled credentials. It’s also challenging for businesses to detect and defend against because it doesn’t just look like human behavior—it is human behavior.
Attackers also understand that sending millions or billions of login requests from a single IP address looks suspicious, so they’ll turn to a proxy service to distribute the attack over a wide range of IPs, obscuring the source and making the traffic look organic.Â
It’s a seemingly unending arms race. When businesses implement more robust defenses, attackers ramp up the sophistication of their attacks. However, there is a crucial strategy for defending against credential stuffing attacks and keeping your business and customers safe.
The best way to deter attackers is to make it more challenging or expensive to launch attacks against your applications.Â
See More: Ransomware: Is Your Sensitive Data Protected, or Will You Have to Pay?
How Can You Run Faster Than Your Competitors?
There’s an old story about the two children who come upon a bear in the woods. One of them starts lacing up her running shoes, so the other one asks, “What are you doing? You can’t outrun a bear.†The girl replies, “I don’t have to be faster than the bear. I only have to be faster than you.â€Â
The most comprehensive way to prevent credential stuffing is to use an anti-automation managed service, which can be integrated into your existing architecture with a minimum of hassle and give you the visibility you need to defeat malicious bots, advanced automation, and attempted fraud.Â
Using a managed service has some tangible benefits compared to deploying an anti-automation platform on your own. It’s continuously monitored by a dedicated security operations center, which reduces the need for in-house expertise. You benefit from the service with large volumes of traffic from various customers, which helps it quickly identify trends and predictable attack patterns and roll out protections automatically. In addition, security countermeasures are continuously and automatically deployed to bolster defenses and frustrate attackers who retool.Â
Furthermore, a managed service typically has a more mature machine learning and AI practice to analyze the telemetry generated by devices, applications, and the network and detect suspicious behavior. And because it’s a service, you can be up and running in hours or days versus weeks or even months, providing a faster time-to-value for your business.
Five Strategies To Defend Against Credential StuffingÂ
Credential stuffing will remain a threat as long as businesses require users to log in to accounts online. Usernames and passwords will continue to be leaked and sold, better automation tools will be developed, and cybercriminals will increase their skills at emulating human behavior. If your business uses a web or mobile app that offers the ability to buy or exchange anything of perceived or actual value, you should assume you’re at risk.
In addition to leveraging the expertise of a managed anti-automation platform, you can follow these best practices to reduce the threat of credential stuffing attacks for your organization:
- Encourage unique passwords: Share the top 10 passwords list with your users and urge them to choose a different password (as well as one they haven’t used elsewhere). Reject passwords that have been identified as being compromised.Â
- Don’t help the attackers: When an attacker tries a username/password combination that fails, tailor the failure message so that it doesn’t give too much information away. For example, a message that reads “login failed†doesn’t let the attacker know whether it was the username or the password that didn’t match.
- Monitor key metrics: Stats like the login success rate and password reset request rate can be very informative. Corporate IT and security teams should continuously monitor systems for signs of attackers using stolen credentials to compromise accounts. If you can detect these attempts early, you can stop the attack in its tracks.Â
- Ensure that authorization is friction-free for legitimate users: Instead of using a frustrating (and easily thwarted) CAPTCHA, leverage real-time intelligence from the managed service network and SOC monitoring. This will enable you to block suspicious requests while streamlining the process for your actual users.
- Work together: Attackers thrive on siloed teams that don’t communicate. It’s vital to bring your SecOps and fraud teams together to discuss threats to the organization, current attack trends, and better ways of collaborating to protect the business.
See More: Top 10 Cyber Threat Intelligence Tools in 2022
Stay Safe In the (Online) Woods
Defending against credential stuffing can feel like an uphill battle, and achieving complete invulnerability to these attacks seems unlikely. Cybercriminals are creative and relentless, but your security protections can make it so difficult for them that they give up and move on to easier targets. Just remember the story about the bear and lace up those running shoes.
What tools do you have in place to protect your organization and customers against credential stuffing? Share with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!
MORE ON SECURITY THREAT MANAGEMENT:
Â