Credential Stuffing is an attack method carried by hackers with the use of user credentials gathered or breached. This method involves various scenarios, for example, the attacker will collect the breached credentials from one service of a famous eCommerce, and use it for another service provided by the same eCommerce vendor. It’s because user tends to keep same passwords for one more service for their convenience to remember. But, it gives benefits for the attackers.
First, let us see the key difference between brute force attack and credential stuffing attack. Brute Force attack carried with the guess of usernames and passwords against one service without any context. But, Credential Stuffing is done with exposed/breached data, in a way lowering the possible correct ones.
If we look with statistical way, credential stuffing has a low success rate. Around 0.1% rate, which is for a record of 1000 only 1 account is successfully taken in. But, the volume of data being traded over the black market and the price determined by the attacker shows it is worth going. Even though it has a low rate of success. But, the collection of data will consist of billions of data. If the attacker has this much data and able to get 100 successful accounts is a lot worth it. With this small success, if the attacker gathers profitable data(sensitive data). It gives lots of rewards for attackers’ effort. Even, with these accounts, attackers can use them for many more services.
Bot technology used in this attack makes it a workable attack. How Bot helps here? Web applications designed in a way to block certain IP addresses for some intended time or ban that IP permanently if continuous login failure occurs from the same source. But, Bot helps the attacker to conduct attacks from various IP addresses from different locations. The purpose of the Bot is to give attackers a higher advantage of login attempts identical to normal traffic and its products so far.
Companies face issues with these attacks. Because locking the user accounts will cause them to lose their business from that customer due to such attacks.
Preventive methods against Credential Stuffing
Users have to use different passwords for different services. If the user has a unique password for a different service, then this attack is ineffective for their accounts.
Companies has to have necessary security controls to prevent the data being breached.
Use of Multi-Factor Authentication for an account gives a two levels of security for a account. But, implementing depending on the end user and services is a tough challenge for the enterprise. For those scenarios they can use some methods like,
- New IP address or new device/browser.
- Geographic location of the service offered as limitation.
- Lookup on blacklisted IP address.
- Multiple login attempts to multiple accounts from same IP.
- A study on login attempt which looks like manual or scripted.
If MFA won’t work for a service then implementing secondary password, PINs, and Security Questions can work as a defense against this attack.CAPTCHA defense can be used against these Bot attacks. But, this is just an added defense. There are tools available to break this CAPTCHA with a high success rate.
Blocking the IP address after investigating that multiple login attempts came from that source.
Requesting different usernames, because many services uses email as the username. Most of the users have same email address. If user use same mail id as username, it gives higher advantage to attacker to use the password and email id by using it combined.
Device Fingerprints can be used. Lots of frameworks supports gathering device fingerprints. Even from HTTP protocol headers, lots of information about the device and client can be gathered. User account can be tagged with that device information. But, practically users use different device to use the service. And it is hard to implement based on the service provided.
Multi-Step login process can be included against login. Like a combination of username and password after credentials are entered to web server.
Blocking headless request. Requests which are not coming from a browser. This is can be implemented by using the fingerprinting method. Having password change policy in a periodic time.
Identifying the leaked passwords
Users are notified when unusual login is made to their accounts. But, also need to make sure not to flood the user with notifications. Which leads to a loss of interest to the user to look at it as a security threat. Notification can contain information about the device, location, date, and time of the last unusual login. Giving users the option to view active sessions on their accounts and the power to terminate concurrent sessions if the sessions are illegitimate.