Between 2020 and 2021, the number of credential stuffing assaults nearly doubled. According to Help Net Security, between October 2020 and September 2021, researchers discovered 2,831,028,247 credential stuffing assaults, a 98 percent increase over the previous year.
Gaming, digital and social media, as well as financial services, were the industries that saw the most credential stuffing assaults during that time period. Furthermore, the United Kingdom was one of the top three locations in the world for credential stuffing assaults, with Asia and North America following closely behind.
The security community predicts that the number of credential stuffing attacks will increase even more in the second half of 2022.
Why is credential stuffing a problem for businesses?
For starters, the role of automation in credential stuffing makes it feasible for anyone—even novice attackers—to carry out these assaults. Credential stuffing is so widespread, and it’s anticipated to continue in this manner through 2022, thanks to a low barrier of entry.
To demonstrate this point, consider the flow of credential stuffing. A credential stuffing assault begins when a hostile actor obtains stolen usernames and passwords through password dumps, data breaches, phishing operations, and other sources, according to the Open Web Application Security Project (OWASP). They then run the credentials through automated software on a variety of websites, including banks and social networking networks.
They can then perform a password reuse attack, steal the hacked account’s information/funds, and/or monetize it on the dark web if they are successful in authenticating themselves with a credential set.
The consequences of a successful credential stuffing assault may be far-reaching, which brings us to our second reason why credential stuffing is so worrying. Because the consequences of a successful credential stuffing assault are akin to a data breach, businesses may be certain that all data protection laws will be followed. Meaning? According to Cybersecurity Dive, organizations might face millions of dollars in fines as a result of credential stuffing.
These fines do not include the expenses of determining the scope of the attack, determining which data the hostile actors may have compromised, and resolving the event. They also don’t cover the potential for brand harm and legal expenditures that may arise as a result of contacting customers.
Best strategies for credential stuffing defense
To prevent the charges mentioned above, businesses must take steps to protect themselves from a credential stuffing assault. They can do it in seven different ways.
- Make credential stuffing defense a collaborative conversation that takes place on a regular basis.
Credential stuffing can’t be tackled if there isn’t even a conversation about the threat.
Recognizing this fact, TechRepublic suggests that businesses gather together their security, fraud, and digital teams to discuss credential stuffing and other fraud trends, as well as how they may leverage digital data to coordinate their defensive efforts.
- Make multi-factor authentication a reality.
The ability of hostile actors to convert access to a credential set into account access is the foundation of credential stuffing. Multi-factor authentication (MFA) eliminates this weak spot by requiring attackers to supply an additional element for authentication, such as an SMS-based text code or a fingerprint. This increases the difficulty of gaining access to an account by requiring hostile actors to breach both the initial credential set and the extra authentication factors.
- Use security awareness to educate staff on proper password usage.
By growing their workers’ levels of security awareness, businesses may go a long way toward preventing credential stuffing attacks. They can, for example, educate their personnel on how hostile actors might utilise password reuse in a credential stuffing effort. Organizations can also give employees with a password manager to save credentials they’ve developed in compliance with business password regulations, according to How-To Geek.
- Examine traffic for indicators of credential stuffing and establish a baseline.
Organizations should develop a baseline for their traffic, including account activity, according to Infosecurity Magazine. They can then use that baseline to look for unexpected activity, such as an increase in unsuccessful login attempts or strange account access requests.
- Prevent users from using exposed passwords to secure their accounts.
The last thing security teams want is for their workers to use a password that has already been leaked due to a security breach. After all, data breaches, information dumps, and other exposures are exploited by malicious actors to fuel automated systems used in credential stuffing. Recognizing this, information security professionals must keep an eye on the web for data breaches, data dumps, and other releases that bad actors might exploit to participate in credential stuffing. They can keep an eye on the news for events like this. They may also rely on data breach tracking services like Have I Been Pwned to provide them notifications (HIBP).
- Use fingerprinting to identify devices
Infosec teams can fingerprint an employee’s device by looking at the operating system, web browser version, language settings, and other factors. They may then use that fingerprint to look for unusual activities, such as a person trying to login with a device in another country, according to Security Boulevard. If a situation like this develops, security teams can ask employees to provide extra authentication factors to ensure that their account hasn’t been hacked.
- Don’t use your email address as a user ID.
The danger of a credential stuffing attack isn’t just increased by password repetition. The repetition of usernames and/or account IDs has the same effect. This assertion is supported by Salt Security. In a blog post, it stated, “Credential stuffing relies on users using the same usernames or account IDs across services.” “When the ID is an email address, the danger is increased since attackers may readily get or guess it.”
As a result, enterprises should think about establishing unique identities that hostile actors won’t be able to utilize across various online services.
Using the fundamentals to defeat credential stuffing
One of the most common types of assault today is credential stuffing. Because malicious actors may easily get unprotected sets of credentials over the internet, this popularity is conceivable. However, as previously said, enterprises may easily defend themselves against credential stuffing.