The Bedel Security Blog

What is Credential Stuffing?

Written by Brian Petzold | Jul 13, 2018

 

One of the fastest-growing types of cyberattack right now is called credential stuffing. Credential stuffing takes place when an attacker uses a list of IDs and passwords that have been obtained in a previous breach of another site and uses automated tools to try these same IDs and passwords on your site. Because people continue to reuse passwords across different websites, there is a good chance the attacker will eventually be successful and will take over your customer or employee accounts. Some companies are attributing over 60% of their recent login attempts to credential stuffing.  This week, we five suggestions that your institution can consider to protect your customers and employees from credential stuffing:

  1. Don’t Reuse Passwords: The only reason that credential stuffing works at all is because people reuse the same ID and password on multiple sites. Educate your customers and employees that this is a bad idea.
  1. Consider a Password Vault for Employees: Consider implementing a password vault to make it easier for employees to manage unique passwords. There is some risk in using these vaults, so be sure to do a risk assessment before implementing one. Some of these vaults also provide the ability to alert you and/or your employee when they reuse a password on multiple sites.
  1. Up Your Multi-Factor Authentication Game: Once a correct password is found using credential stuffing, only multi-factor authentication (MFA) stands between your customer and their online account. If your MFA simply asks for mother’s maiden name or favorite vacation spot, it is not enough because this information is likely available on the Internet on social media sites. Attackers are also learning how to find customer cell phone numbers and are able to redirect text messages to a phone controlled by the attacker, so simply sending a text message is becoming less effective. Consider implementing stronger MFA methods such as authenticator apps, physical tokens, workstation fingerprinting, or biometrics.
  1. Don’t rely on CAPTCHA: Many sites use CAPTCHA (a challenge–response test used in computing to determine whether or not the user is human) to detect and deter automated programs such as those used in credential stuffing. The problem is that many attackers are now using artificial intelligence to detect and respond to CAPTCHA tests, and the artificial intelligence engines are more successful in solving CAPTCHA puzzles than humans are.
  1. Investigate Detection and Prevention Tools: Several vendors have now developed tools that can be added to your website to help detect and block credential stuffing. Ask your current intrusion detection system vendor if they do this and implement this capability if they do. If they do not, start investigating additional tools that do provide this detection.

We are constantly monitoring the cybersecurity landscape for threats that specifically impact financial institutions and their customers. If you're looking for a cybersecurity expert for your team to keep you ahead of threats don't hesitate to reach out.