Credential Stuffing - How you can protect yourself

Credential stuffing attacks are becoming more and more common. Recently several Australian companies (Dan Murphy’s, Guzman y Gomez, Binge, etc.) were targeted by credential stuffing attacks. Their customers had their accounts accessed and orders were made on these websites using the customer’s stored credit card details - https://www.bandt.com.au/guzman-dan-murphys-binge-hit-with-credential-stuffing-cyber-attack/. Fortunately, this is one attack type that you can take steps to protect yourself from and don’t have to rely on a company to keep you safe.

What is credential stuffing?

Cyber criminals know that people reuse passwords. So when a cyber criminal gets access to a username and password in a data breach, they know there is a very good chance the username and password will work on another site as well.

For example, if Linkedin had a data breach, the criminal knows your linked password could be the same as your Facebook password. The cyber criminal will take your username and password from the LinkedIn data breach and use it to try to log in to Facebook. When a cyber criminal does something like this and automates the process to try this for hundreds or thousands of accounts, this becomes a technique known as credential stuffing.

How can you protect yourself?

While there are things that companies can and should be doing to protect their customers from these kinds of attacks, there are actions you can take as an individual to protect yourself as well.

There are 2 main things you can do to protect yourself.

1. Don’t reuse passwords
2. Use Multi-Factor authentication wherever possible

Don’t reuse passwords

Since credential stuffing attacks rely on you reusing the same password on multiple accounts, the best thing you can do to protect yourself from these attacks is use strong, unique passwords for each account you use.

Using a password manager is the best way to ensure you have strong and unique passwords for all your accounts. A password manager is a tool that allows you to store your username and passwords for all your accounts in a secure safe. The usernames and passwords can be easily retrieved when needed.

Use Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is another layer of protection you can apply to your accounts. If you have MFA set up on your account, an attacker can’t get in to your account even if they have your username and password; unless they can somehow also get access to your MFA code. Because MFA codes are usually tied to a single device that you keep on you (e.g. SMS based one-time codes or a Google Authenticator app on your phone), it is very difficult for an attacker to get access to these codes.

You should set up MFA on any services that have the option.

What companies should be doing to protect you

While the steps above will protect you from credential stuffing attacks and are things you absolutely should be doing for your own security hygiene, there are still things that companies can and should be doing to protect their customers.

Some of the key things companies can do to protect their customers from credential stuffing attacks are:

1. Multi-Factor Authentication
2. Rate Limiting
3. Monitoring for breached passwords
4. Reviewing suspicious login activity

Multi-Factor Authentication (MFA)

Before you can take advantage of MFA on your accounts, a company needs to implement it as an option for you to take advantage of. Companies that don’t have MFA available for their customers to set up should consider implementing the feature and encouraging their customers to enable it.

Rate Limiting/Anti-Automation

Rate Limiting is a feature where you intentionally slow down the number of requests that your website is processing. When a cyber criminal tries a credential stuffing attack, they will create a program that automates the login process for a website so they can try hundreds or thousands of different credentials per minute. Rate limiting allows you to slow down the number of attempts a cyber criminal can make.

By slowing down their ability to test usernames and passwords, you make it less attractive for them to try this type of attack against your website. For example, if an cyber criminal can only try 5 usernames and passwords per minute instead of 100 per minute, they are getting significantly less return on their investment. If out of a possible 100 usernames and passwords, they only have 1 that is valid against your website, it makes it much less attractive to target your website if you can only log in to one account every 5 minutes instead of 1 account every minute.

Rate limiting can sometimes be known as anti-automation since these types of security controls are designed to slow down or stop automated attacks. A CAPTCHA on a website’s login form is an example of an anti-automation control.

Monitoring for breached passwords

It is possible to connect your websites login form with a list of known data breaches to determine if your customers are using a password that is known to have appeared in a data breach. When your customer tries to log in to their account, you can check at the moment of login whether their password has previously appeared in a data breach. If it has, you can notify the customer and recommend that they use a more secure password.

Services such as haveibeenpwned (https://haveibeenpwned.com/API/v3) allow you to connect your website to their service to automatically check passwords against breaches in their database.

This is a great way to educate your customers on good password hygiene and encourage them to adopt good practices.

Reviewing suspicious login activity

Logging details of your customers login activity (e.g. username, time of login, IP address, location, etc.) is useful for being able to determine the normal and abnormal login behaviours of your customers. You can store these logs in your security team’s tools (e.g. a SIEM) and review these logs to identify suspicious behaviour. You can then notify your customers when there is suspicious login activity detected on their account (e.g. they normally log in from Australia but there has suddenly been a login from Brazil) or set up automatic actions to occur when suspicious login activity is detected (e.g. provide an MFA challenge to a customer when suspicious behaviour is detected on their account).

Summary

Credential stuffing attacks are becoming more common as access to more data breaches is becoming easier. It’s very easy for a cyber criminal to find or purchase a list of usernames and passwords from data breaches and try those usernames and passwords against other websites.

The best way to protect yourself from these types of attacks is to use strong, unique passwords for all of your different accounts and use something like a password manager to manage them. MFA will also assist you in protecting your account from these and other attacks.

While you can take steps to protect yourself, it’s also important for companies to put the right security controls in place to help protect their customers. The list above is a list of some of the best things companies can do to protect their customers from credential stuffing attacks.