Credential stuffing as a hacking attempt of any kind in which the perpetrator uses credentials obtained from another data theft or data breach on another website or system to attempt to log in to another unrelated website or system.
“For example, a hacker may use a list of credentials obtained from a data breach of a major eCommerce website (let’s say, Amazon) and then use the same usernames and passwords to try and log in to Gmail.”
In such cases, the perpetrator is exploiting the fact that many people use the same username and password for different services and is hoping that some of the eCommerce users reused their credentials on Gmail.
Many lists of breached credentials were being sold and even shared publicly on various forums, black markets, and the dark web. As a result, credential stuffing attacks have been on the rise in the past couple of years, paired with the fact that there have been major advancements in various credential stuffing tools and sophisticated bots that can mimic human behaviours and get around traditional identification techniques.
In this guide, we will discuss with DataDome how to detect credential stuffing attacks and the effective methods to prevent them.
Utilizing multi-factor authentication (MFA) is one of, if not the most effective ways to protect your website against credential stuffing attacks.
The idea behind two-factor authentication is to require a second (or more) authentication form than the password. So, even when a user’s credential has been stolen, the simple username-password combination won’t be enough for the perpetrator to launch a credential stuffing attack.
The second or more factor can be:
However, although MFA is very effective in credential stuffing attack prevention, it is still relatively not popular due to how it impacts user experience (UX). Two-factor authentication will mean that it would take longer for the legitimate user to log in to your service, and might deter them.
With that being said, you might want to consider only implementing MFA contextually rather than requiring it in every situation. For example, you can create an adaptive system where you would only require MFA during a suspicious action (i.e. repeated requests to the same page).
“Yet, more and more people are now familiar with the practice of using two-factor authentication, and there’s also the increasing intuitiveness of two-factor authentication methods, making it easier and faster to use by users”
In the near future, we can expect more websites and services to adopt MFA as their default authentication method. For example, in February 2020 Google announced that all Nest users would be required to use two-factor authentication.
Below are some effective credential stuffing attack prevention methods you can implement:
Since many credential stuffing attempts are done by automated programs (bots), CAPTCHA can help in preventing these automated login attempts. Similar to two-factor authentication, however, a CAPTCHA can disrupt user experience (UX) and should be used sparingly or only during suspicions of automated attacks.
Also, a CAPTCHA is not perfect and won’t prevent 100% of automated logins and credential stuffing attacks. Even after considering all these issues, however, CAPTCHA is still effective in preventing credential stuffing.
A pretty basic but effective approach is to block less sophisticated attacks that only rotate between a small number of IP addresses. We can blacklist IP addresses or a range of IPs after a specific number of failed login attempts.
However, there are two main principles in IP blacklisting: the blacklist should be temporary so you can reduce the likelihood of blocking legitimate human users (false negative), and you should track login failures separately for each user.
You should consider storing the users’ IP addresses to trace IP addresses that successfully logged in, so you don’t accidentally block legitimate users from logging in. Also, when this user logs in from other IP addresses, you can notify the user immediately or even block the account altogether if necessary.
Besides tracing for IP addresses and blocking suspicious activities based on IP address, we can also use various factors to ‘fingerprint’ users, such as:
JavaScript can also help you in accessing more insights such as screen resolution, installed fonts on the device, installed plugins/extensions, and more. Tracking these factors can be very helpful in differentiating between legitimate users and bot activities.
So, if it doesn’t match the user’s previous fingerprint, you can ask this client for additional authentication (via CAPTCHA or asking security questions, for example). However, keep in mind that users might own multiple devices and might share the account with other friends or family members, so you’d need to be smart in identifying and blocking suspicious activities that don’t match the previous fingerprints.
The idea of the following methods is to make the credential stuffing attack more time consuming and more difficult to implement, with the hope that the attacker might give up.
While these following methods might not be 100% sufficient in preventing credential stuffing attack, we can use these to defend against opportunistic attackers without the aid of sophisticated bots:
Headless, automated browsers like headless Chrome or PhantomJS are often used by cybercriminals because they can help tackle various defence measures. You can track these headless browsers by looking for certain criteria like some signatures and properties they tend to leave behind like window.callPhantom in the JavaScript environment.
“However, if you block the traffic outright, the attacker might devise a countermeasure, so sometimes limiting/throttling the traffic and silently limiting the action.”
Above, we have mentioned how we should analyze various factors of user ‘fingerprints’ to identify between legitimate users and attackers. So, we can configure alerts on the login success ratio for this specific user. While you’ll never have legitimate traffic with a login success rate of as low as 0.1% to 10%, credential stuffers can achieve these numbers.
Credential stuff attackers can reach a success rate of close to 0%, so it’s fairly easy to identify. Tracking login success ratios that are very low is a massive sign of credential stuffing attempts.
While there isn’t a 100% way to stop credential stuffing attacks where user’s usernames and passwords have been compromised, the methods we have shared above are effective in identifying, preventing, and mitigating the effects of credential stuffing attempts. You can also use credential stuffing mitigation and protection solutions to actively prevent credential stuffing attacks.
Above, we have discussed the concept of credential stuffing, and how we can assess the risk for our websites and prevent the attack.
Also, Read Why ‘Dark Web’ is Becoming a Cybersecurity Nightmare for Businesses
A clean and sanitized environment is vital to health care and lab ecosystems. Contaminants like dust, particles, debris, bacteria, viruses…
Artificial intelligence is increasing in various sectors, including photonics. AI enthusiasts in multiple fields are excited to see how its…
Automation is rising across all manners of manufacturing workflows. However, in many cases, robotics solutions can go further. Workholding is…
Accurate documentation of diagnoses, treatment histories, and personal health information are all crucial in delivering quality care and ensuring patient…
Material-handling activities can be dangerous because they require repetitive tasks that may cause strain or injuries. Additionally, employees must learn…
AI enthusiasts in all sectors are finding creative ways to implement artificial intelligence’s predictive analytics and modelling capabilities to mitigate…