Are High-Security Checks Worth It?

by Eric Gressman
Credential stuffing is, sadly, not a delicious mixture of bread, veggies, butter, and herbs that you fill the cavity of your credential turkey with. It’s not even festive.
When you hear about data breaches – that is, hacks on databases of personal information like email addresses and potentially passwords – the threat of credential stuffing attacks looms the largest. So, when JP Morgan Chase reports a breach of information associated with 83 million accounts, or the email addresses of 200 million Twitter accounts quietly leak online, do you have to be concerned?
Unfortunately, the answer is maybe. Particularly if you reuse the same password for many of your sensitive online accounts, and don’t want your data to be ammunition for a credential stuffing attack.
Credential stuffing is when bad actors attempt to force their way into a website using leaked or stolen databases of login credentials. Automated bots inject the stolen usernames and passwords into a website’s login prompts or into an API, then exploit any successful login attempts.
Note that this can be any website, not just the one that suffered the leak, because so many users tend to use the same passwords across services. According to Google, up to 87% of people tend to re-use passwords, be it across all or just a few of their services and accounts. This is a large part of what makes credential stuffing a successful endeavor.
Account takeovers (ATOs) are often the result of credential stuffing attacks, especially when the victimized user isn’t practicing good password hygiene. In other words, a user whose information is breached on a non-sensitive website is at a much higher risk of having a more important account breached if they use the same passwords across accounts and don’t change them regularly.
This is because the credential stuffing attacks are looking for this kind of password insecurity specifically, often attempting to use the same login credentials on a number of different sites. The same bot software may then automatically scrape the compromised accounts of their sensitive payment data, or make unauthorized transactions.
SEON’s behavioral analysis and machine learning algorithms can help you keep your domain safe from fraudsters with stolen login information. Come see how.
Book a Demo
Credential stuffing attacks are a subset of brute force attacks. Both kinds of nefarious tactics can be characterized as forcing a large volume of login attempts through the keyhole of a website, with an expected low – but non-zero – success rate. However, where a brute force attack attempts to use automation to generate the correct password of a leaked username or email address, credential stuffing attacks are already armed with pairs of usernames and passwords.
In a sense, credential stuffing doesn’t usually “work”. Fraudsters attempting to execute a credential stuffing bot attack will be expecting the vast majority of their pilfered data to be useless, not resulting in anything more than a message along the lines of:
Invalid username and password combination.
Research data published online suggests that the success rate for credential stuffing attacks is somewhere between 2% and 0.1%, but with the size of some historical data breaches, even a 0.1% success rate could be massive.
Consider that, with the massive 2014 JP Morgan Chase breach of 83 million accounts, 0.1% of that breach still amounts to 83,000 accounts successfully taken over by malicious fraudsters, with those accounts having much more valuable data than usernames and passwords stolen, as they were tied to financial services.
The execution of a credential stuffing attack involves several pieces in play:
Successful logins will almost always end with the fraudster stealing whatever data seems valuable, including credit card numbers and personal identifying information. The programming of the bot will often strip the account of this information in seconds, and may potentially lock the genuine user out of their own account by changing passwords.
Even non-financial data might be scraped to be used while carrying out more sophisticated phishing attacks, particularly if the compromised account was associated with a business or otherwise grants access to sensitive information.
The damage that credential stuffing fraudsters can cause to your organization can be severe. This is true not only for the company that allowed their database to be breached but also for the targeted websites that are having their login gateways jammed with requests.
Should the attacks find success on their domains, the targeted organizations will inevitably have to do housekeeping to keep their security hygienic, but may also find themselves settling accounts for innocent customers whose finances or data has been misused. Having a well-outfitted customer service department will suddenly become a priority issue – or a priority pain point.
For the company whose databases were breached, leading to leaked login credentials, the negative chain of events can include:
Major data breaches generally find themselves in the spotlight in news cycles, which, despite the old adage that any press is good press, is clearly not a good thing for the breached company.
Even companies that manage to dodge media coverage have the legal obligation to inform their users that their data may have been compromised, potentially driving traffic to a competitor. There have been attempts to obfuscate hacks and breaches from the public eye, but this results in even more scandalous media reports when that information inevitably comes to light.
Since the EU’s General Data Protection Regulation (GDPR) became legally enforceable in May 2018, it and other financial governing bodies like the FTC have also handed out billions in fines related to unsecure data practices.
For user data breaches alone, companies like Meta, Equifax, and British Airways have all been handed multimillion-dollar fines – the GDPR slapped Meta with a whopping $275 million dollar penalty for leaked user data finding its way to publication on hacker websites.
It’s safe to say that most organizations would rather shore up defenses against data breaches rather than pay out massive fines and sacrifice their brand while doing so. That said, fraud is not a static issue, and requires a proactive approach to ward off fines and keep consumers safe.
Of course, the first line of defense against credential stuffing attacks is making sure your own infrastructure can’t be breached, so your databases can’t be weaponized in credential stuffing attacks on other platforms.
As a consumer, you can defend yourself from having all your online accounts compromised via a single website’s data breach by practicing good password hygiene.
For the targeted website – the domain that the fraudster is attempting to leverage the stolen login data against – the defense and detection processes are more involved. The first security step should always be to make sure your customers are using strong passwords, flagging weak ones at registration.
A reliable data-based weapon against fraudsters are tools like Troy Hunt’s haveibeenpwned. This huge database of leaked passwords allows for better security – and, by utilizing a method called k-anonymity, it remains private and secure despite handling sensitive leaked information. It is also offered through Cloudflare. Blocking such connections and warning users about this situation is a strong safeguard against ATOs from credential stuffing.
Fraudsters will certainly be attempting to circumvent normal website security measures – programming their bots to change IP addresses for every unique username, for example. Prevention, thus, must take a step up from everyday domain security.
In terms of keeping your harbors free of marauding bots, there are certain measures any company can implement that address bot-like behavior specifically, though with varying degrees of introduced customer friction.
Naturally, fraudsters looking at a 0.1% success rate will want to cast a huge net, leveraging as many usernames and passwords as possible to maximize their success. Using bots in this process means that their programming will rarely, if ever, be specific enough to address security gateways that have a follow-up layer of security.
Some common but effective measures that provide enhanced security through high friction gateways include:
Striking a balance between friction and security is always the tightrope that must be walked on. Many companies may want to introduce a frictionless authentication method, scrutinizing connection data and other unique identifiers for alarming signals to then only introduce friction where it may be necessary for the account’s protection. These include:
If any suspicious behaviors or signals appear when a software solution investigates traffic, the aforementioned higher-friction methods can – and should – be deployed. Optimally, a combination of these techniques would be integrated into a user journey. While this risk management strategy may ultimately result in some good customers being forced through a high-friction login, and potentially churn them out, the loss they represent will surely be lower than a GDPR fine.
Partner with SEON to reduce fraud in your business with real-time data enrichment, whitebox machine learning, and advanced APIs.
Book a Demo
SEON’s fraud prevention software suite provides optimal tools for preventing and detecting credential stuffing attacks. The software will identify hundreds of data points under the hood and use them to flag both suspicious setups and connections between users – say, those who suspiciously forgot their passwords on the very same day.
The solutions easily facilitate an environment of dynamic friction, providing the most obviously non-fraudulent, non-automated users to pass through the login stage with minimal inconvenience. The distinction between good and malicious users is identified through advanced device and browser fingerprinting, as well as IP analysis and digital footprint analysis, which are quietly executed as soon as a user enters the domain.
A user who injects their login data strangely quickly, from an IP associated with a datacenter proxy, using credentials known to be involved in a recent data breach will quickly pointed out by SEON’s customizable fraud scoring engine. Such connections should certainly be asked to perform MFA or complete a security questionnaire.
In the event that a fraudster successfully logs in, SEON monitors the entire user journey and will spot risky behavior within your platform. Fraud scores can be tuned to go up quickly if a user, say, logs into an account and then attempts to drain any funds with a speed that is unlikely to be human. Manual reviews can be triggered at telltale touchpoints, like users who attempt to change their passwords with automated speed.
These instances of fraud can then also be labeled and fed into SEON’s advanced machine learning algorithms, the better to recognize similar instances moving forwards, particularly if their risk signals are too subtle for human review.
SEON helps companies provide a safer platform for users, sewing up gaps in infrastructure that could otherwise be exploited. This safety extends not only to the personal data stored internally but also to the likelihood that your company is subjected to enormous fines or irreversible reputational damage.
At the same time, the dynamic friction approach ensures that SEON can keep you safe without introducing unnecessary friction in the journey of legitimate customers.
Sources
Showing all with `` tag
Click here
Eric Gressman is a Korean-American author and tech writer, with presentation skills remaining from a teaching career. He fights fraud from East London, where he is often mistaken for a ramen chef or Chinese restaurateur.
The top stories of the month delivered straight to your inbox