Credential Stuffing: Prevention & Best Practices for Defense

When you hear about data breaches – that is, hacks on databases of personal information like email addresses and potentially passwords – the threat of credential stuffing attacks looms the largest. So, when JP Morgan Chase reports a breach of information associated with 83 million accounts, or the email addresses of 200 million Twitter accounts quietly leak online, do you have to be concerned?

Unfortunately, the answer is maybe. Particularly if you reuse the same password for many of your sensitive online accounts, and don’t want your data to be ammunition for a credential stuffing attack.

What Is Credential Stuffing?

Credential stuffing is when bad actors attempt to force their way into a website using leaked or stolen databases of login credentials. Automated bots inject the stolen usernames and passwords into a website’s login prompts or into an API, then exploit any successful login attempts.

Note that this can be any website, not just the one that suffered the leak, because so many users tend to use the same passwords across services. According to Google, up to 87% of people tend to re-use passwords, be it across all or just a few of their services and accounts. This is a large part of what makes credential stuffing a successful endeavor.

Account takeovers fraud (ATOs) is often the result of credential stuffing attacks, especially when the victimized user isn’t practicing good password hygiene. In other words, a user whose information is breached on a non-sensitive website is at a much higher risk of having a more important account breached if they use the same passwords across accounts and don’t change them regularly.

This is because the credential stuffing attacks are looking for this kind of password insecurity specifically, often attempting to use the same login credentials on a number of different sites. The same bot software may then automatically scrape the compromised accounts of their sensitive payment data, or make unauthorized transactions.

How Do Credential Stuffing Attacks Work?

In a sense, credential stuffing doesn’t usually “work”. Fraudsters attempting to execute a credential stuffing bot attack will be expecting the vast majority of their pilfered data to be useless, not resulting in anything more than a message along the lines of:

Invalid username and password combination.

Research data published online suggests that the success rate for credential stuffing attacks is somewhere between 2% and 0.1%, but with the size of some historical data breaches, even a 0.1% success rate could be massive.

Consider that, with the massive 2014 JP Morgan Chase breach of 83 million accounts, 0.1% of that breach still amounts to 83,000 accounts successfully taken over by malicious fraudsters, with those accounts having much more valuable data than usernames and passwords stolen, as they were tied to financial services.

The execution of a credential stuffing attack involves several pieces in play:

• a poorly-secured database of usernames and passwords, leaked
• a fraudster who gets access to that leaked database
• bot software to weaponize the leaked login data
• IP and device spoofing tools to camouflage the bots
• target websites to throw the login data against until a login/password combination works

Successful logins will almost always end with the fraudster stealing whatever data seems valuable, including credit card numbers and personal identifying information. The programming of the bot will often strip the account of this information in seconds, and may potentially lock the genuine user out of their own account by changing passwords.

Even non-financial data might be scraped to be used while carrying out more sophisticated phishing attacks, particularly if the compromised account was associated with a business or otherwise grants access to sensitive information. 

Credential Stuffing vs Brute Force Attacks

Credential stuffing attacks are a subset of brute force attacks. Both kinds of nefarious tactics can be characterized as forcing a large volume of login attempts through the keyhole of a website, with an expected low – but non-zero – success rate. However, where a brute force attack attempts to use automation to generate the correct password of a leaked username or email address, credential stuffing attacks are already armed with pairs of usernames and passwords. 

How Does It Affect Your Organization?

The damage that credential stuffing fraudsters can cause to your organization can be severe as it may entail:

• Public-facing reputational damage: customers whose accounts are stolen can be vocal about their suffered “hack” and blame your company for the exploit.
  
• Resource-heavy damage control: you will have to quickly identify the exploit, upgrade your security, deal with the victim, and deploy additonal security measures to ensure fraudsters cannot access more parts of your business from the stolen accounts.
  
• Heavy fines from legal bodies: in some cases, a successful credential stuffing attack is a regulatory risk, which can be punished by fines and legal action. Since the EU’s General Data Protection Regulation (GDPR) became legally enforceable in May 2018, financial governing bodies like the FTC have handed out billions in fines related to unsecure data practices. 

Major data breaches generally also find themselves in the spotlight in news cycles, which, despite the old adage that any press is good press, is clearly not a good thing for the breached company. 

It’s safe to say that most organizations would rather shore up defenses against data breaches rather than pay out massive fines and sacrifice their brand while doing so. That said, fraud is not a static issue, and requires a proactive approach to ward off fines and keep consumers safe.

Best Methods for Credential Stuffing Prevention

Preventing credential stuffing takes a multi-pronged approach, combining cybersecurity, employee training, customer education, and fraud prevention, including:

• Multi-factor authentication and CAPTCHA: which require the user to confirm their identity via another device or confirm they are human are extremely effective against automated credential stuffing attacks.
  

• Device fingerprinting is also particularly effective against bots and virtual machines. This is designed to recognize suspiciously similar technical markers among apparently unrelated users, such as web browser plugins or screen resolutions, for example.
  
• Velocity checks can flag repetitive, suspicious actions, such as automatically changing passwords, or transferring cached funds elsewhere, all within a machine-like timeframe.
  
• Machine learning: if you struggle to manually detect suspicious login attempts, an algorithm could identify past exploits based on your historical data and suggest ways to prevent it in the future. This is particularly helpful if you’ve been the victim of multiple credential stuffing attempts and need to identify a common point between all the attacks. 

While methods designed to catch credential stuffing are particularly helpful at the login stage, but you can also keep them running to identify suspicious behavior after a successful login.It’s also worth nothing that there are many overlaps between credential stuffing prevention and bot detection, which takes a more general approach to catching automated actions on your website.

Credential Stuffing Defense

Of course, the first line of defense against credential stuffing attacks is making sure your own infrastructure can’t be breached, so your databases can’t be weaponized in credential stuffing attacks on other platforms. 

As a consumer, you can defend yourself from having all your online accounts compromised via a single website’s data breach by practicing good password hygiene.

For the targeted website – the domain that the fraudster is attempting to leverage the stolen login data against – the defense and detection processes are more involved. The first security step should always be to make sure your customers are using strong passwords, flagging weak ones at registration. 

A reliable data-based weapon against fraudsters are tools like Troy Hunt’s haveibeenpwned. This huge database of leaked passwords allows for better security – and, by utilizing a method called k-anonymity, it remains private and secure despite handling sensitive leaked information. It is also offered through Cloudflare. Blocking such connections and warning users about this situation is a strong safeguard against ATOs from credential stuffing. 

Fraudsters will certainly be attempting to circumvent normal website security measures – programming their bots to change IP addresses for every unique username, for example. Prevention, thus, must take a step up from everyday domain security. 

How Does SEON Help With Credential Stuffing Prevention?

SEON’s fraud prevention software suite provides optimal tools for preventing and detecting credential stuffing attacks using a combination of powerful features. These include:

• User fingerprinting: SEON will identify hundreds device and browser data points under the hood and use them to flag suspicious setups and connections to your website. This is also helpful to flag logins from previously blacklisted IPs, devices, or even high-risk countries.
  
• Velocity checks: designed to monitor the entire user journey and spot risky behavior within your platform. Fraud scores can be tuned to go up quickly if a user, say, attempts to change their passwords with automated speed or fails too many login attempts within a specific time frame.
  
• Machine learning algorithms: the more credential stuffing attempts you can identif and flag, the better SEON will recognize similar instances moving forwards, especially if their risk signals are too subtle for human review. 
  

All of the above also makes SEON an ideal bot detection software, and best of all, it’s available with a free plan or flexible, cancel-anytime contracts where you only pay-per-API call.

Sources

• OWASP: Credential Stuffing Prevention Cheat Sheet
• CSO Online: The 12 biggest data breach fines, penalties, and settlements so far
• IT Governance: The damaging after-effects of a data breach
• Wikipedia: 2014 JPMorgan Chase data breach
• Google: Online Security Survey Google / Harris Poll