Connect SEON to 3000+ Apps With a Zapier Integration
![Connect SEON to 3000+ Apps With a Zapier Integration](https://assets.cdn.seon.io/uploads/2021/03/Zapier_Integration_02_24_isolated.png)
by Eric Gressman
When you hear about data breaches – that is, hacks on databases of personal information like email addresses and potentially passwords – the threat of credential stuffing attacks looms the largest. So, when JP Morgan Chase reports a breach of information associated with 83 million accounts, or the email addresses of 200 million Twitter accounts quietly leak online, do you have to be concerned?
Unfortunately, the answer is maybe. Particularly if you reuse the same password for many of your sensitive online accounts, and don’t want your data to be ammunition for a credential stuffing attack.
Credential stuffing is when bad actors attempt to force their way into a website using leaked or stolen databases of login credentials. Automated bots inject the stolen usernames and passwords into a website’s login prompts or into an API, then exploit any successful login attempts.
Note that this can be any website, not just the one that suffered the leak, because so many users tend to use the same passwords across services. According to Google, up to 87% of people tend to re-use passwords, be it across all or just a few of their services and accounts. This is a large part of what makes credential stuffing a successful endeavor.
Account takeovers fraud (ATOs) is often the result of credential stuffing attacks, especially when the victimized user isn’t practicing good password hygiene. In other words, a user whose information is breached on a non-sensitive website is at a much higher risk of having a more important account breached if they use the same passwords across accounts and don’t change them regularly.
This is because the credential stuffing attacks are looking for this kind of password insecurity specifically, often attempting to use the same login credentials on a number of different sites. The same bot software may then automatically scrape the compromised accounts of their sensitive payment data, or make unauthorized transactions.
SEON’s behavioral analysis and machine learning algorithms can help you keep your domain safe from fraudsters with stolen login information. Come see how.
Ask an Expert
In a sense, credential stuffing doesn’t usually “work”. Fraudsters attempting to execute a credential stuffing bot attack will be expecting the vast majority of their pilfered data to be useless, not resulting in anything more than a message along the lines of:
Invalid username and password combination.
Research data published online suggests that the success rate for credential stuffing attacks is somewhere between 2% and 0.1%, but with the size of some historical data breaches, even a 0.1% success rate could be massive.
Consider that, with the massive 2014 JP Morgan Chase breach of 83 million accounts, 0.1% of that breach still amounts to 83,000 accounts successfully taken over by malicious fraudsters, with those accounts having much more valuable data than usernames and passwords stolen, as they were tied to financial services.
The execution of a credential stuffing attack involves several pieces in play:
Successful logins will almost always end with the fraudster stealing whatever data seems valuable, including credit card numbers and personal identifying information. The programming of the bot will often strip the account of this information in seconds, and may potentially lock the genuine user out of their own account by changing passwords.
Even non-financial data might be scraped to be used while carrying out more sophisticated phishing attacks, particularly if the compromised account was associated with a business or otherwise grants access to sensitive information.
Credential stuffing attacks are a subset of brute force attacks. Both kinds of nefarious tactics can be characterized as forcing a large volume of login attempts through the keyhole of a website, with an expected low – but non-zero – success rate. However, where a brute force attack attempts to use automation to generate the correct password of a leaked username or email address, credential stuffing attacks are already armed with pairs of usernames and passwords.
The damage that credential stuffing fraudsters can cause to your organization can be severe as it may entail:
Major data breaches generally also find themselves in the spotlight in news cycles, which, despite the old adage that any press is good press, is clearly not a good thing for the breached company.
It’s safe to say that most organizations would rather shore up defenses against data breaches rather than pay out massive fines and sacrifice their brand while doing so. That said, fraud is not a static issue, and requires a proactive approach to ward off fines and keep consumers safe.
Preventing credential stuffing takes a multi-pronged approach, combining cybersecurity, employee training, customer education, and fraud prevention, including:
While methods designed to catch credential stuffing are particularly helpful at the login stage, but you can also keep them running to identify suspicious behavior after a successful login.It’s also worth nothing that there are many overlaps between credential stuffing prevention and bot detection, which takes a more general approach to catching automated actions on your website.
Of course, the first line of defense against credential stuffing attacks is making sure your own infrastructure can’t be breached, so your databases can’t be weaponized in credential stuffing attacks on other platforms.
As a consumer, you can defend yourself from having all your online accounts compromised via a single website’s data breach by practicing good password hygiene.
For the targeted website – the domain that the fraudster is attempting to leverage the stolen login data against – the defense and detection processes are more involved. The first security step should always be to make sure your customers are using strong passwords, flagging weak ones at registration.
A reliable data-based weapon against fraudsters are tools like Troy Hunt’s haveibeenpwned. This huge database of leaked passwords allows for better security – and, by utilizing a method called k-anonymity, it remains private and secure despite handling sensitive leaked information. It is also offered through Cloudflare. Blocking such connections and warning users about this situation is a strong safeguard against ATOs from credential stuffing.
Fraudsters will certainly be attempting to circumvent normal website security measures – programming their bots to change IP addresses for every unique username, for example. Prevention, thus, must take a step up from everyday domain security.
SEON’s fraud prevention software suite provides optimal tools for preventing and detecting credential stuffing attacks using a combination of powerful features. These include:
All of the above also makes SEON an ideal bot detection software, and best of all, it’s available with a free plan or flexible, cancel-anytime contracts where you only pay-per-API call.
Sources
Showing all with `` tag
Get anti-fraud and compliance insights and tips from SEONs experts.
Eric Gressman is a Korean-American author and tech writer, with presentation skills remaining from a teaching career. He fights fraud from East London, where he is often mistaken for a ramen chef or Chinese restaurateur.