Latest Blogs
By AMSAT Sep 9, 2022
How to Prevent and Reduce Attacks Involving Credential Stuffing
While newly discovered data breaches have become a dime a dozen, we hardly ever learn the specific effects of any such catastrophic event on an organization. This is because it takes time for the data to be sold and utilized for crimes, making it challenging to determine the cause and effect. Even if a data breach occurred at a business with which you do not share any sensitive information, this does not guarantee your safety because, through a practice known as credential stuffing, your login information for that business could be used to access all of your other accounts.
This article takes an insight into credential stuffing attacks and suggests defenses against them.
What is credential stuffing?
Attackers who use automated tools or botnets to inject pre-collected credentials into user accounts of the same or different organizations are known as credential stuffers.
Credential stuffing is simple to carry out and frequently succeeds. On several platforms, users frequently utilize the same login information. The other accounts can be compromised if the attacker obtains the username password of one of these accounts.
The availability of vast quantities of compromised credentials is another factor contributing to the simplicity with which credential stuffing attacks can be executed. Breach credentials are publicly available in plaintext on the dark web, while attackers can also purchase them.
What is the process of a credential stuffing attack?
The hacker adds the list of credentials they have obtained or stolen to a botnet or automated tool. The automated tool or botnet automatically tests the credential pairs on numerous websites simultaneously while utilizing various IP addresses.
The website(s) that the hacked set of credentials can access are identified by the botnet or automated program. Automation reduces the attacker’s need to repeatedly log in to a single service. The attacker keeps track of successful logins and performs harmful actions including
- Obtain private information
- Transfer money
- Engage in online fraud
Brute force attacks versus credential stuffing
Credential stuffing is distinct from brute force attacks, despite their similarities. The primary distinction is that attackers try to guess passwords in the absence of context or information from earlier breaches. Attackers can break the credentials by changing the letters, digits, etc., or by using random strings, passwords that are easy to guess, etc.
Effective methods for preventing credential stuffing attacks
Multi-Factor Authentication (MFA) Multi-factor authentication is one of the finest defenses against credential stuffing. MFA mandates that users go through additional authentication procedures to demonstrate that they are a real person and not a bot or an intruder attempting to access the account. One of the greatest ways to authenticate a user is to ask them to enter an OTP that was given to a pre-registered phone number.
Because MFA can be disruptive to business, it might not always be possible to implement it. As a result, it is combined with other security measures like device fingerprinting, automatically enabling MFA for users who are deemed to be at higher risk, etc.
- Set Strong Password and Authentication Policies in Place
- Create distinctive usernames and robust passwords with password managers
- Make users establish unique passwords for each of their accounts
- Limit the amount of failed authentication requests very strictly.
For instance, BFSI businesses often freeze the user account without exception after a maximum of 3-5 unsuccessful login attempts. Thus, in order to reactivate the account, the user needs visit a branch. In some industries, you can specify a time limit for failed login attempts and notify the user to change their password even if the accounts cannot be frozen.
For users, passwords, and other information kept in your database, utilize credential hashing. Never keep credentials in plaintext.
Keep an eye out for public data dumps to see whether your database contains any compromised email addresses or passwords. If so, mandate MFA and password reset for such users.
Use CAPTCHA
Credential stuffing attacks can be effectively diminished by using CAPTCHA. Since it can be disruptive to the business, it must be used sensibly and in conjunction with other methods to challenge the traffic.
Fingerprinting of devices
Device fingerprinting is another method for preventing credential stuffing. Using data gathered from user devices, such as language, OS, browser, time zone, etc., create a fingerprint for each session. If the exact same set of parameters are used to log in repeatedly in a row, it is probably an attack. Then, you can use the fingerprint to block IP addresses, impose temporary bans, etc.
Additional measures
- Geographical rate limiting, origin data centers, etc.
- Using threat intelligence and insights from granular traffic analysis, IP blacklisting
- Stop using headless browsers
The final word
Credential stuffing, a bot-based attack, can be halted and alleviated smoothly if you invest in an all-inclusive, intelligent, managed bot management and security solution like AMSAT.
TAGS
- Cyber Crime
- Cyber Security
Recent Blogs
Ready to Get Started?
Our specialists are ready to tailor our security service solutions to fit the needs of your organization.
