Did you know?
According to a survey conducted in the US, an average user has around 120 online accounts!
81% of users have used the same password across two or more sites, and 25% of users use the same password across a majority of their accounts.
In this day and age of rampant cyberattacks, remembering all the passwords and keeping passwords a secret is an arduous task. Credential Stuffing is a major cyber threat on the rise, faced by every organization.
Credential stuffing is a cybercrime in which hackers use large volumes of illegally obtained credentials to log in to various digital applications at once using automation software. These fraudsters capitalize on people reusing the same set of username and password for numerous accounts. The enormous database of credentials is usually acquired from corporate data breaches, phishing attacks or bought on the dark web with bitcoins.
Hackers might use the credentials obtained from breaking into an e-commerce site, to sign into a banking site. The assumption could be that a fraction of the e-commerce customers may have an account in that bank and at least a few of them would have the same credentials for both the sites.
The success rate of a credential stuffing attempt is as low as 0.1-2%. Fraudsters still prefer it because of the massive amount of data they deal with. An infamous database in recent times, called as ‘Collection #1-5’ is said to contain 2.2 billion unique username and password combinations as plaintext and is downloadable free of charge. Also, sophisticated automation tools and bots make the implementation easier. Even though the attackers manage to hack a small number of accounts, they steal information like credit card numbers, gift card balances and personal data they could use for future phishing attacks, which makes their effort worthwhile.
If a company has been a victim of a credential stuffing attack, it does not necessarily mean that its security has been compromised. Credential stuffing may have happened due to data breaches at other organizations.
Credential stuffing attacks are proliferating due to several reasons. The hacking tools are now all the more advanced, easily affordable and most of them are even cost-free. On the contrary, conducting other kinds of cyber attacks has become more labor-intensive and expensive. Also, with hackers mimicking users’ identities, it’s hard for a company to notice an attack until it’s too late. The duration between the initial attack and its public notification is a crucial window for credential stuffers to do the damage and is estimated to be as long as 15 months.
Cybercriminals employ different techniques to execute credential stuffing. They sometimes gain unauthorized access to important accounts by breaching less important ones like a loyalty program for groceries. Hackers, simultaneously cannot attempt to log in to a website numerous times with a single IP address or a browser because web services are programmed to block any activity which could destabilize it. Web services limit the rate of suspicious logins by deliberately including time delays and banning the IP addresses of users who repeatedly have failed login attempts. Therefore, hackers resort to malicious software and botnets which use proxy lists to bounce the login requests around the web, for making them look like they are all coming from different IP addresses and browsers. They use standard software capable of bypassing CAPTCHA challenges and multi-factor authentications.
Organizations are continually attempting to detect and prevent credential stuffing attacks. Blocking only suspicious sign in trials without blocking or hindering legitimate activity is a challenging task.
The following are a few ways to secure sensitive data:
- Using an efficient password manager
- Opting multi-factor authentication when available
- Regularly resetting passwords
- Setting a strong and unique password for every account
- Avoid using public Wi-Fi
- Introduce CAPTCHA or an equivalent human verification
- Offer multi-factor authentication
- Employ bot management
- Build a secure system for password and account recovery
- Make it mandatory for employees to periodically reset passwords
Credential Stuffing will remain a viable cybercrime if organizations and people are not cautious enough. Organizations should leverage technology and introduce techniques to safeguard passwords as it is always better to be safe than sorry.