By Consultantsreview Team
Credential stuffing is arguably one of, if not the scariest cybersecurity threat we have today. Why? Because credential stuffing can lead to account takeover takeover attacks, through which attackers can gain access to personally identifiable information which they can use for identity theft or fraudulent transactions.
The credential stuffing technique is actually pretty simple: attackers try an already compromised username-password pair on other digital services. However, it exploits a vulnerability that is so often done by many people, probably even you and me: using the same passwords on all our accounts.
Credential stuffing is very dangerous, and in recent years even big brands like Nest, OkCupid, and DailyMotion have all seen their user accounts compromised due to credential stuffing.
This is why in this guide, we will discuss all you need to know about credential stuffing attack, and especially what you can do to protect your business and yourself from this scary threat.
We have briefly discussed the definition of the credential stuffing attack above, but here we’ll delve into the technicalities.
As mentioned, credential stuffing is a fairly straightforward technique where the perpetrator already possessed a pair of username and password. Typically the attacker has gained access to a collection of credentials from corporate breaches. These stolen credentials are often sold (or even shared) on various forums and the dark web.
The attacker then simply try to ‘stuff’ all of these username-password pairs on other platforms. For example, if the stolen credentials are from Gmail, the attacker then tries to log in on Facebook with the same credential.
Billions of credentials have been stolen in the past few years alone, a lot of the time, without the owner of the account realizing it. Pair this with the fact that a lot of us tend to use the same passwords and usernames in many different accounts, and this is why credential stuffing is simple, yet powerful and dangerous.
Credential stuffing can be thought of as a type of brute force attack, but there are several important uniqueness:
So, in a modern web application even with the most basic security measures like a limited login attempt, CAPTCHA, and other basic solutions, it’s already difficult for a brute force attack to succeed unless the account is using simple, guessable passwords.
On the other hand, a credential stuffing attack can succeed even in a most secure website and even on accounts that enforce very strong passwords.
While the process might vary, here is a typical process of how an attacker performs a credential stuffing attack. Remember that the assumption is that the attacker already owns a working password-username pair.
Due to the simplicity yet effectiveness of a credential stuffing attack in a specific situation, there is no one-size-fits-all solution to protect any account from credential stuffing attacks. However, since most credential stuffing attacks are performed by bots/automated software, then detecting and managing these bot activities can be very effective in preventing the attempt.
It is important to remember that we can’t simply block all bot activities because there are also good bots that are beneficial for your website. This is why a proper bot management solution that can properly identify between good and bad bots in real-time is very important in this process. Solutions like DataDome effectively detect and mitigate bots that may be attempting credential stuffing, protecting your website in the process.
Educate your employees and users about the dangers of credential stuffing attack, and encourage them to use strong and unique passwords on each of their accounts. Nowadays, there are also various password management solutions that can help people use totally unique and very strong passwords on all their accounts with ease.
2-factor authentication (2FA) or multi-factor authentication (MFA) is essentially asking your users for secondary information besides their password before they can access their account.
The second ‘factor’ can be:
The idea is that even in the case of a successful credential stuffing attack, the attacker won’t be able to access the account since they’ll need to guess this second information.
However, implementing 2FA on too many elements on your site can hurt user experience, so make sure to use it strategically. For example, you may only want to implement 2FA when the client’s activity is suspicious (repeated login attempts, high/low bounce rate, etc. )
Using CAPTCHA is the most basic defensive measure against bot activities, and most of us are familiar with it.CAPTCHA is essentially a test that is (very) easy for humans to answer, but yet is very difficult for a bot/automated software to solve.
However, with the presence of CAPTCHA farm services, using CAPTCHAs alone is now not 100% effective in mitigating bot activities. A proper bot management solution on top of the CAPTCHA test is preferred.
Also, similar to 2FA, implementing too many CAPTCHAs can hurt your site’s user experience, so use them strategically.
Credential stuffing is a very dangerous cybersecurity threat that can affect virtually all websites, even those with the strongest security infrastructure. The strength of the attack, however, is in its simplicity, which makes it very difficult to defend against.
While there’s no perfect solution in defending against credential stuffing since most credential stuffing attacks are performed by bots, investing in a bot management solution like DataDome is currently the most reliable approach in protecting your site and system from credential stuffing. Yet, educating your users and employees to always use unique passwords is also very important.
We use cookies to ensure you get the best experience on our website. Read more...
