Credential Stuffing: Detection, Prevention, Unstuffing

Credential stuffing is, sadly, not a delicious mixture of bread, veggies, butter, and herbs that you fill the cavity of your credential turkey with. It’s not even festive.

When you hear about data breaches – that is, hacks on databases of personal information like email addresses and potentially passwords – the threat of credential stuffing attacks looms the largest. So, when JP Morgan Chase reports a breach of information associated with 83 million accounts, or the email addresses of 200 million Twitter accounts quietly leak online, do you have to be concerned?

Unfortunately, the answer is maybe. Particularly if you reuse the same password for many of your sensitive online accounts, and don’t want your data to be ammunition for a credential stuffing attack.

What Is Credential Stuffing?

Credential stuffing is when bad actors attempt to force their way into a website using leaked or stolen databases of login credentials. Automated bots inject the stolen usernames and passwords into a website’s login prompts or into an API, then exploit any successful login attempts.

Note that this can be any website, not just the one that suffered the leak, because so many users tend to use the same passwords across services. According to Google, up to 87% of people tend to re-use passwords, be it across all or just a few of their services and accounts. This is a large part of what makes credential stuffing a successful endeavor.

Account takeovers (ATOs) are often the result of credential stuffing attacks, especially when the victimized user isn’t practicing good password hygiene. In other words, a user whose information is breached on a non-sensitive website is at a much higher risk of having a more important account breached if they use the same passwords across accounts and don’t change them regularly.

This is because the credential stuffing attacks are looking for this kind of password insecurity specifically, often attempting to use the same login credentials on a number of different sites. The same bot software may then automatically scrape the compromised accounts of their sensitive payment data, or make unauthorized transactions.

Credential Stuffing vs Brute Force Attacks

Credential stuffing attacks are a subset of brute force attacks. Both kinds of nefarious tactics can be characterized as forcing a large volume of login attempts through the keyhole of a website, with an expected low – but non-zero – success rate. However, where a brute force attack attempts to use automation to generate the correct password of a leaked username or email address, credential stuffing attacks are already armed with pairs of usernames and passwords. 

How Credential Stuffing Works

In a sense, credential stuffing doesn’t usually “work”. Fraudsters attempting to execute a credential stuffing bot attack will be expecting the vast majority of their pilfered data to be useless, not resulting in anything more than a message along the lines of:

Invalid username and password combination.

Research data published online suggests that the success rate for credential stuffing attacks is somewhere between 2% and 0.1%, but with the size of some historical data breaches, even a 0.1% success rate could be massive.

Consider that, with the massive 2014 JP Morgan Chase breach of 83 million accounts, 0.1% of that breach still amounts to 83,000 accounts successfully taken over by malicious fraudsters, with those accounts having much more valuable data than usernames and passwords stolen, as they were tied to financial services.

The execution of a credential stuffing attack involves several pieces in play:

• a poorly-secured database of usernames and passwords, leaked
• a fraudster who gets access to that leaked database
• bot software to weaponize the leaked login data
• IP and device spoofing tools to camouflage the bots
• target websites to throw the login data against until a login/password combination works

Successful logins will almost always end with the fraudster stealing whatever data seems valuable, including credit card numbers and personal identifying information. The programming of the bot will often strip the account of this information in seconds, and may potentially lock the genuine user out of their own account by changing passwords.

Even non-financial data might be scraped to be used while carrying out more sophisticated phishing attacks, particularly if the compromised account was associated with a business or otherwise grants access to sensitive information. 

How Does Credential Stuffing Affect Your Organization?

The damage that credential stuffing fraudsters can cause to your organization can be severe. This is true not only for the company that allowed their database to be breached but also for the targeted websites that are having their login gateways jammed with requests.

Should the attacks find success on their domains, the targeted organizations will inevitably have to do housekeeping to keep their security hygienic, but may also find themselves settling accounts for innocent customers whose finances or data has been misused. Having a well-outfitted customer service department will suddenly become a priority issue – or a priority pain point.

For the company whose databases were breached, leading to leaked login credentials, the negative chain of events can include:

• public-facing reputational damage
• resource-heavy housekeeping and mandated infrastructural improvements
• heavy fines from legal bodies

Major data breaches generally find themselves in the spotlight in news cycles, which, despite the old adage that any press is good press, is clearly not a good thing for the breached company.

Even companies that manage to dodge media coverage have the legal obligation to inform their users that their data may have been compromised, potentially driving traffic to a competitor. There have been attempts to obfuscate hacks and breaches from the public eye, but this results in even more scandalous media reports when that information inevitably comes to light. 

Since the EU’s General Data Protection Regulation (GDPR) became legally enforceable in May 2018, it and other financial governing bodies like the FTC have also handed out billions in fines related to unsecure data practices.

For user data breaches alone, companies like Meta, Equifax, and British Airways have all been handed multimillion-dollar fines – the GDPR slapped Meta with a whopping $275 million dollar penalty for leaked user data finding its way to publication on hacker websites.

It’s safe to say that most organizations would rather shore up defenses against data breaches rather than pay out massive fines and sacrifice their brand while doing so. That said, fraud is not a static issue, and requires a proactive approach to ward off fines and keep consumers safe.

How to Defend Against a Credential Stuffing Attack

Of course, the first line of defense against credential stuffing attacks is making sure your own infrastructure can’t be breached, so your databases can’t be weaponized in credential stuffing attacks on other platforms. 

As a consumer, you can defend yourself from having all your online accounts compromised via a single website’s data breach by practicing good password hygiene.

For the targeted website – the domain that the fraudster is attempting to leverage the stolen login data against – the defense and detection processes are more involved. The first security step should always be to make sure your customers are using strong passwords, flagging weak ones at registration. 

A reliable data-based weapon against fraudsters are tools like Troy Hunt’s haveibeenpwned. This huge database of leaked passwords allows for better security – and, by utilizing a method called k-anonymity, it remains private and secure despite handling sensitive leaked information. It is also offered through Cloudflare. Blocking such connections and warning users about this situation is a strong safeguard against ATOs from credential stuffing. 

Fraudsters will certainly be attempting to circumvent normal website security measures – programming their bots to change IP addresses for every unique username, for example. Prevention, thus, must take a step up from everyday domain security. 

Credential Stuffing Prevention Techniques

In terms of keeping your harbors free of marauding bots, there are certain measures any company can implement that address bot-like behavior specifically, though with varying degrees of introduced customer friction. 

Naturally, fraudsters looking at a 0.1% success rate will want to cast a huge net, leveraging as many usernames and passwords as possible to maximize their success. Using bots in this process means that their programming will rarely, if ever, be specific enough to address security gateways that have a follow-up layer of security.

Some common but effective measures that provide enhanced security through high friction gateways include:

• Multi-factor authentication, which requires the user to confirm their identity via another device, is extremely effective against automated credential stuffing attacks, as bots simply aren’t programmed to open an authentication app on a phone to verify themselves. At login, there are few companies that want to introduce this level of customer friction. Savvier ones may deploy a system of dynamic friction to only add a layer of MFA security when a user’s connection data raises red flags.
• CAPTCHA and other human-detecting modules can significantly decrease the likelihood that a bot can gain access to a website. Here again, though, few companies want to introduce even a more modest moment of security friction, and many CAPTCHAs have been shown to be consistently beatable.
• PINs and step-up challenges, including additional security questions, are effective at mitigating bots, as it is incredibly unlikely that a scaled credential stuffing attack is programmed to complete them.

Striking a balance between friction and security is always the tightrope that must be walked on. Many companies may want to introduce a frictionless authentication method, scrutinizing connection data and other unique identifiers for alarming signals to then only introduce friction where it may be necessary for the account’s protection. These include:

• IP fraud score, which queries the provenance of a connecting IP address. Though many bots will be programmed to change or rotate through a number of IP addresses upon connection, these IP addresses may bear the scars of fraud. The IP address may suggest it comes through a datacenter proxy, which may be a warning sign for some companies’ risk appetites, or be counted on a database of blacklisted IPs.
• Device fingerprinting is also particularly effective against bots. This is because device fingerprinting will recognize the physical machine that traffic is connecting with, and some fraud solutions will be able to recognize suspiciously similar markers among apparently unrelated users. Credential stuffing fraudsters will not often program their bots to appear as using different web browsers or screen resolutions, for example.
• Velocity checks are when software measures a user’s behavior for signs of particular behavior – in this case, the signs of automated user actions as well as indicators of multi-accounting. Beyond comparing the results of device and other hashes, as we saw above, velocity checks may be able to flag repetitive, suspicious behaviors. Bots are programmed to attempt to log in, then perform some malicious actions whenever a login is successful. These actions will very likely be the same across a single domain, perhaps automatically changing passwords, or transferring cached funds elsewhere, all within a machine-like timeframe – probably just seconds. This automated behavior will be distinct from normal human usage patterns, and velocity checks can be tuned to detect them, particularly if there is a historical example to base the pattern on.

If any suspicious behaviors or signals appear when a software solution investigates traffic, the aforementioned higher-friction methods can – and should – be deployed. Optimally, a combination of these techniques would be integrated into a user journey. While this risk management strategy may ultimately result in some good customers being forced through a high-friction login, and potentially churn them out, the loss they represent will surely be lower than a GDPR fine.

How Does SEON Fight Credential Stuffing Attacks?

SEON’s fraud prevention software suite provides optimal tools for preventing and detecting credential stuffing attacks. The software will identify hundreds of data points under the hood and use them to flag both suspicious setups and connections between users – say, those who suspiciously forgot their passwords on the very same day.

The solutions easily facilitate an environment of dynamic friction, providing the most obviously non-fraudulent, non-automated users to pass through the login stage with minimal inconvenience. The distinction between good and malicious users is identified through advanced device and browser fingerprinting, as well as IP analysis and digital footprint analysis, which are quietly executed as soon as a user enters the domain.

A user who injects their login data strangely quickly, from an IP associated with a datacenter proxy, using credentials known to be involved in a recent data breach will quickly pointed out by SEON’s customizable fraud scoring engine. Such connections should certainly be asked to perform MFA or complete a security questionnaire.

In the event that a fraudster successfully logs in, SEON monitors the entire user journey and will spot risky behavior within your platform. Fraud scores can be tuned to go up quickly if a user, say, logs into an account and then attempts to drain any funds with a speed that is unlikely to be human. Manual reviews can be triggered at telltale touchpoints, like users who attempt to change their passwords with automated speed.

These instances of fraud can then also be labeled and fed into SEON’s advanced machine learning algorithms, the better to recognize similar instances moving forwards, particularly if their risk signals are too subtle for human review.  

SEON helps companies provide a safer platform for users, sewing up gaps in infrastructure that could otherwise be exploited. This safety extends not only to the personal data stored internally but also to the likelihood that your company is subjected to enormous fines or irreversible reputational damage.

At the same time, the dynamic friction approach ensures that SEON can keep you safe without introducing unnecessary friction in the journey of legitimate customers.

Sources

• OWASP: Credential Stuffing Prevention Cheat Sheet
• CSO Online: The 12 biggest data breach fines, penalties, and settlements so far
• IT Governance: The damaging after-effects of a data breach
• Wikipedia: 2014 JPMorgan Chase data breach
• Google: Online Security Survey Google / Harris Poll