Beware of an emerging security threat – credential stuffing – that involves bots making high-volume login attempts with stolen user credentials to execute catastrophic account hijacking and takeovers.
Credential stuffing attack forced Reddit to reset their user passwords. The company locked users’ account and implored them to reset their passwords and employ a two-way authentication security method. Just the beginning of 2019, and we see a cyber-attack already.
Hackers are hungrily waiting for customer data. We know this sad truth, yet most of us fail to follow a good Internet practice. Often we see warnings popping up while setting up a new account on any login page, which alerts us about the strength of the set passwords. Ignoring all the warnings, most of us still use the same credentials across multiple accounts or just enter the simplest password, say 123456. These poorly-crafted login credentials become one of the ways for malicious actors to execute their illegal activities. Let’s explore how:
What is credential stuffing?
When a data breach occurs, customer’s personal identifiable information is being compromised, which includes their login credentials also. Take the example of Linkedin’s 2012 security incident. In the wake of this security breach, the company lost 167 million account credentials.
The spilled credentials are then used by hackers to execute their malicious agenda. They simply set an algorithm or design bots to test these breached credentials on a series of online applications. Due to the majority of reused and poor passwords, there is always a probability of 2 percent success rate for account takeovers.
Successful logins will enable hackers to carry out illicit activities, ranging from robbing credit card details to purchasing items of their choice to stealing medical data, and so much more. Not only customers but organizations also have to face major financial loss. According to Akamai’s report, “the total cost associated with credential stuffing, including fraud-related losses, operational security, application downtime, and customer churn can range from 6 million to 54 million dollars annually.” How do businesses keep their customer login details safe? How would they know whether the login request is a legitimate one? As businesses fail to recognize the traffic coming in from a bad bot, they happen to give access to bad actors. Whom to blame? Is it organizations, who fail to distinguish a legitimate person from a software program, or is it customers who do not set strong and unique passwords? Well, actually both. But considering the organization’s angle, credential stuffing attack is so stealthy that it requires sophisticated tools to spot and guard against it. Fortunately, credential stuffing attacks are not carried out manually. This is probably one of the best chances to step in the battleground for defending against this attack.
How to mitigate credential stuffing attacks?
Over the past few years, hackers have evolved in carrying out malicious activities. Earlier, bots were programmed by simple scripts. These scripts were easily detectable by hunting down cookies. But as today’s sophisticated bots imitate the web browser, it becomes difficult for a bot management application to detect and distinguish between bad bots and good bots.
Similarly, credential stuffing attacks are difficult to detect. Organizations should, therefore, adopt advanced bot detection techniques like JavaScript challenge, device fingerprinting, and behavior-based detection systems.
- JavaScript challenge – JavaScript codes are added to the HTML page of the browser. When the page is loaded, the JavaScript code also executes. The technique, JavaScript challenge is later used to detect if the traffic coming in is able to execute the JavaScript code. If the traffic is not able to execute the code, then it is considered as illegitimate. Such a technique solves the problem of sophisticated bots that emulates browsers.
- Browser/Device/machine fingerprinting – Browser fingerprinting is one of the robust techniques that gather information about the browser. Every little information, right from its version to its type to active plugins to set language and font to other such characteristics is collected with the help of this method. A bot management solution will then easily monitor the browser fingerprint to detect malicious intent of the client. The solution can identify whether the client is actually a bot striving to trick an authorized browser.
- Behavior-based detection systems – This is one of the most-sophisticated bad bot detection solutions. It accumulates and monitors customer inputs, behavior, and interactions, ranging from a mouse hover to keyboard strokes to site navigation to mouse clicks and so much more. This data is then fed to a bot management solution, which uses ML capabilities to identify a bad bot. For example, it is obvious that straight lines are difficult to be perfectly drawn with a mouse. Cases like this itself paints a story that the operator isn’t a human but a bot.