Industry experts consider credential stuffing to cost up to an average of $US 6 million a year per company, and I believe it will be one of the greatest challenges for IT security teams this year.
As a service that processes billions of logins per month, we are in a good position to observe trends in credential stuffing attacks targeting our customers.
On an average day, we detect and block suspicious login attempts originating from over 50,000 IP addresses.
That’s around 67% of all our server traffic.
So, what exactly are we up against?
The job of a credential stuffer is in fact easier than that of most cyber criminals.
It all starts with the password list.
Attackers test stolen user-password combinations sourced from data breach leaks to architect networks of exploited devices called botnets.
They then use these botnets to coordinate large-scale attacks, targeting as many entry points as possible.
To misuse people’s online accounts and sell the functioning logins at a profit.
There have been more than approximately 360 breaches in the past five years, leading to 3 billion accounts and 550 million unique passwords leaked.
Worryingly, these are now being compiled into aggregated lists (such as the Collections #1-5 lists) which are relatively easy to find for those who know where to look.
Hackers are now even trading ‘botnets-for-hire’ for nominal fees for use in widespread attacks.
Stealing insignificant amounts of money from companies means they often go unnoticed, but it can add up to billions of dollars every year.
If the cybercriminals are becoming more sophisticated, how can we rise to this challenge?
It’s not just about catching a credential stuffing attack but also putting measures in place that give you greater control and protect your users.
MFA is one step in the right direction.
For a hacker to successfully hack an account with multi-factor authentication, they need access to the device – typically a mobile phone - as well as the breached credentials.
This drastically increases the challenge and time required for an attacker to compromise accounts at the scale required to make a return on their investment, making it a significant deterrent.
Balance security with frictionless experience
Consider those using your services and ensure your security measures don’t hinder your ability to provide that frictionless user-experience consumers expect.
By using intelligent threat analysis tools, you can tailor the security mechanisms depending on the user scenario. We call this adaptive authentication.
We evaluate the trustworthiness of IP addresses, the use of breached passwords and failed authentication volume to assess the risk of a transaction, login attempt or session for our customers.
We then use this data to prompt them with the appropriate enforcement of controls to help prevent credential stuffing attacks.
For example, if a user always accesses a service via the same IP address, they need a lower authentication level than if they accessed this service from another country or from another device.
On the other hand, when it comes to sensitive transactions, such as online banking, the authentication requirements increase.
Turn to password alternatives
Another way to combat the rise of credential stuffing attacks is to target the root issue of password reuse.
Realistically, as businesses we are not going to change consumers’ mindset of using the same passwords across multiple accounts - it’s been an issue for years, yet still occurs. What we can do is remove the need for new passwords.
This is where social logins come in.
Existing login information from a social network provider like Google, Apple or Facebook is used to sign in, instead of the user creating a new account specifically for an individual website.
For users, it provides a seamless way to login to the sites and apps that they use most frequently.
For businesses, it provides a quick way to implement a secure signup and login system.
For hackers, well it makes it a lot harder, with fewer login attempts or new passwords created.
While data breaches are inevitable, credential stuffing attacks don’t have to be.
The job of technology professionals is to make it more difficult for hackers to gain access and if they do, thwart their attacks.
It’s also on us to educate consumers on the dangers of reusing passwords and providing them alternative options.
Encouraging a higher level of digital hygiene – whether they are your employees or your customers – will reduce the threat.
Changing human behaviour can be security’s biggest asset, and this is needed now more than ever.
Richard Marr is APAC General Manager at Auth0.