A credential stuffing attack is a form of cyber attack where the attackers use a list of compromised user credentials to breach a system. The attackers aim to gain collected usernames and passwords to gain fraudulent access into their accounts. Numerous login credentials have landed in the hands of the attackers over the years due to data breaches. According to statistics, about 0.1% of breaches credentials attempt another service will result in a successful login.
Table of Contents
Is credential stuffing similar to brute force?
No, the credential stuffing attack is not the same as brute force. In a brute force attack, the attacker guesses the login details without using any context or using random strings of commonly used passwords. However, with credential staffing, that is not the case, as the attacker will use the login information. In the modern web application that has put in place basic security measures, brute force attacks are likely to fail while you can be sure that credential stuffing attacks can succeed.
How does credential stuffing work?
Learn about the typical process followed by an attacker when they are doing large-scale credential stuffing.
- Step one
The first step that the hackers do during the credential stuffing attacks is to hack into the system to get real log-in details.
- Step two
Setting up bots that can automatically log into many users accounts by using fake IP addresses
- Step three
Running of automated processes to check if the stolen credentials work on any websites. The bots do this by running the process across multiple websites.
- Step four
Monitor the successful logins and obtain personally and identifiable information like credit cards or any other valuable information.
Blocking credential stuffing attacks
Imitating attacks like credential stuffing is viable if the attack cost is lower than the expected outcome. Thus, the attackers will retool the information they get as long as the value they get from the attack is in their favor. Thus, it is your responsibility to strategically place the countermeasures to cause friction repeatedly until the attackers understand that the attack they are trying to make is costing them more than they’re worth. Here are some of the ways you can use to block the credential stuffing attack.
Use of CAPTURE
One of the security measures that you can use to make it challenging for the hackers to get in is by using CAPTURE. This is where humans are required to make an action that will prove they are human. The hackers can bypass the CAPTURE by using headless browsers like MFA and CAPTURE. However, this is a hurdle that increases the hurdle’s cost, even by a fraction. Besides, these security measures work on specific sites, and if you have not tried it on your site, you do not know how successful it will be.
Block of track the headless browsers
Most of the headless browsers are, in most cases, used by attackers. Since the javascript can easily identify these sites, you can easily notice when a headless browser gets into your website. When you notice, it is up to you to determine the action you will take. You can choose to block the traffic as soon as you notice the attack. However, that will only alert the attackers and use other ways to get into your website. The other option is to monitor the actions that the headless browsers take and then develop an effective countermeasure for these actions.
Disallow Email Addresses as under ID
The success of credential stuffing relies on the reuse of usernames or account across services. In most cases, this will happen if the ID is an email address. Prevent the users from using their email addresses as their account ID. You will be drastically reducing the hackers’ possibility of using the same user/password pair on a different website. If so, you will have given hackers a hard time using the credentials. Thus, this is the reason you need to ensure that you disallow the Email Address to be used as an ID.
Track your login success ratio
The other way you can block stuffing attacks is to track the login success ratio of the login people in your account. You need to note that you will never have legitimate traffic with a login success ratio of 0.1-10%. In case you notice such a ratio, then this is a sign that it is the credential stuffers trying to access the account. When credential stuffers start their campaigns, there will be a massive credential list as the ratio will be close to 0%.
Multi-factor Authentication
You can use the other method to block credential stuffing by having users authenticate with something they have. In case the login attempt is by the attacker bots, they will not offer physical authentication methods like a mobile phone or access token. Some of the options you can use when setting the account are MFA and fingerprinting.
Notify the users about unusual security events
If you notice any suspicious or unusual activity in a certain account, you need to notify the user. However, when you notify the user, you need to ensure you have taken proper precautions when notifying them not to get overwhelmed with messages or just ignore them.
Hire experts
Another option you can implement to help in blocking credential stuffing accounts is by hiring cybersecurity companies. These companies have the tools and training that will enable them to deter any fraudulent activities from occurring in your account.
Conclusion
Credential stuffing is not something that is about to go anywhere. Since it cannot be stopped using one technique, the best way to deal with this is by obtaining credentials as challenging as possible. Using weak passwords and the reuse of passwords are the bane of account security.
In case a password is weak or used in multiple accounts, you should note that it will eventually be compromised. For that reason, ensure that you use strong passwords. Besides, you can also use the highlighted points to ensure help in blocking credential stuffing attacks.