Credential Stuffing: impossible to protect against it, unless you change (password)
Credential stuffing is a specific type of IT attack aimed at stealing accounts by exploiting the vulnerability of repeated passwords. This phenomenon has been growing in recent years and is causing significant damage to many companies in a variety of sectors, especially in finance.
How credential stuffing works
For some time now, entire lists of usernames, email addresses and passwords, obtained using breeches in the databases of various portals have been circulating on the dark web. What makes credential stuffing so dangerous is the terrible habit (common to many net users) of using the same password for different websites.
This type of cyber-attack is based on sending access requests to many different portals, using the credentials found in the lists mentioned above. Using this method, the cyber criminals can, if they find a match, easily access sensitive data, private photos, bank accounts etc.
By using skilfully prepared bots, the criminals are able to connect with thousands of sites contemporarily, thereby achieving extensive coverage. The probabilities of a match increase exponentially according to the number of times the victim has used the same password to authenticate their access on different portals.
Damage caused by credential stuffing to companies
It is not only private individuals who are subject to the serious consequences which can result from credential stuffing; in fact, large companies are the cybercriminals’ preferred targets. Some recent studies have brought to light some worrying data showing a marked increase in this phenomenon.
According to estimates, each company endures an average of 11 attacks of this kind per month, targeting approximately 1041 accounts. The real problem however, is the financial cost of these attempted breeches.
The extended downtime of applications, the involvement of security infrastructure and the loss of clients, cost large companies as much as 4 million Euros per year, plus the added costs of any fraudulent transactions carried out using the breeched accounts.
Such statistics reflect the gravity of the problem and the absolute necessity for rapid intervention to improve the security of both individual users and companies.
How to defend against credential stuffing
It is possible to avoid credential stuffing, but it requires that defence from such cyber-attacks be mounted on two fronts: both private (individual users) and public (cybersecurity for companies).
As far as the private front is concerned, it is essential to educate internet users about basic security precautions. Among the most important are: to change passwords regularly and not use the same data to access different sites.
Where possible, it is a good idea to opt for two step authentication: a recent measure providing extra security, which allows the user to log in only after confirming the operation via an additional device (usually the smartphone).
Companies on the other hand, should work hard on the infrastructure of their web portals. According to some data in fact, each company should have an average of 26 access points for users, which can be exploited in the same way by the bots.
Also the failure to differentiate access credentials on the various devices used to connect (personal computer, smartphone, mobile app or third parties) can constitute an area of vulnerability not to be underestimated.
Some recent technologies are able to recognise and classify the behaviour of bots and distinguish it from human activity. Of course, such protection has an elevated cost, but it could really make the difference when it comes to guarding against credential stuffing.
Translated by Joanne Beckwith
