Credential Stuffing (Account Takeover) Ponemon Institute states 12.7 attacks occur each month and are rising with the migration to the cloud. Companies do not have sufficient solutions for prevention and containing the attack. The growing concern with credential stuffing is the current IT strategies moving to the cloud which bring another level of risk to the organization.
What is Credential Stuffing?
Credential stuffing is a scary and dangerous automated attack technique that uses stolen or leaked credentials to inject automated scripts to hammer online services with credentials in the hopes of a password and username or email address being accepted as legitimate. Companies with an online presence are typically vulnerable to this attack. According to Ponemon Institute, " Credential stuffing attacks can range from an average of more than $500,000 if 1 percent of all compromised accounts result in monetary loss to more than $54 million if 100 percent of all compromised accounts result in monetary loss." In addition, credential stuffing is difficult to identify, detect and remediate due to the imposters accessing your website. The massive amount of leaked credentials that can be found on the web provides the data for the automated tools to attempt to login to services.
The common ways cyber criminals obtain large lists of stolen user logins and information for credential stuffing attacks are phishing attacks, spam, botnets, leaked and stolen databases, brute force security and reuse of stolen password/security questions. How is your data interlinked personally and in your business? Cyber criminals take advantage of the human interaction with the systems and pray on the same username and password used for multiple accounts. So, when your large companies get exploited your organization and personal data could be at risk. Data is at a premium and your credentials are the start of an end-to-end solution for the bad guys.
Why is it important to pay attention to credential stuffing as a company?
Credential compromising is not new it is just evolving with automation to increase the likelihood of a successful attack. So, what is the impact and risk to the organization? The attack hits the bottom line with a monetary loss on a successful attempt. During the attempt the organization can experience outages, slow response times, overwhelming support center queries, and irritated customers. Credential stuffing builds the high level of frustration among end-users that can result into department or business reputation loss. Business reputation loss or brand impact is the killer when it comes to a successful attack due to the continuous social media and media impact it has on the business for not taking security seriously. Thus, losing customer confidence, potential business, current engagements and impacting the business for years.
So, what is the defense for Credential Stuffing?
Work with a third-party to identify your risk to credential stuffing and surrounding exploits
Understand your environment by vulnerability assessments and then test your findings to probe deeper into your web applications
Create unique passwords, use passphrases, change often
Use a password manager
Two-Factor Authentication - provides the layered approach to security
Monitor with behavior related technology to look at patterns and alert behavior related activity in your environment.
Cloud Access Security Broker (CASB)
Addressing your security hygiene and security posture
Data security is and will always be a multi-layered approach with direction emphasis on the people, processes and then selecting the right technology to meet your organization’s needs. Fall in love with the solution not the technology. As credential stuffing exploits goes unchecked with minimal defenses the risk to the organization increases and makes customer data vulnerable. The cycle of infiltrating a company’s systems and stealing credentials will not go away but increase with the use of technology, machine learning, big data analytics and artificial intelligence for the cyber criminals. The longevity of credential stuffing attacks can be attributed to poor security hygiene, ongoing systematic failures, lack of end-user awareness that prevents password reuse, companies’ failure to identify, detect and respond in a timely manner and the lack of resources needed to address the issue. Organizations need to lean on the experts in the areas to fill the security gaps and to clean the security hygiene needed in most organizations. If these attacks go unchecked, they keep providing a hefty return on investment for fraudsters and attackers. Security experts have provided a lot of great information about credential stuffing, please see some of the related white papers.
Additional Resources:
https://www.akamai.com/us/en/multimedia/documents/report/the-cost-of-credential-stuffing.pdf
https://f5.com/Portals/1/Premium/Reports/F5-State-of-Application-Delivery-Report-2017.pdf
https://www.owasp.org/index.php/Credential_Stuffing_Prevention_Cheat_Sheet
https://info.shapesecurity.com/rs/935-ZAM-778/images/Shape_Credential_Spill_Report_2018.pdf
Comments