At the turn of the century, as more and more of our lives were moving into the online realm, we were inundated with requests to create online accounts. Maybe you remember services like Friendster and Napster, two of the very first social networking and music streaming sites available. These services may no longer be around, but it is very likely that your login credentials for long-gone services like these are floating in the darknet. This would not be a problem in and of itself. However, at the dawn of the digital era, few of us realized the importance of securing the personal data we shared online. So we reused usernames and passwords across services and platforms. And this practice, decades old, has now fueled a lucrative form of cyber attack: credential stuffing.
Unlike other forms of cyber attack, credential stuffing requires little to no knowledge of technology and computing systems. This is what makes it exceptionally dangerous to businesses and customers. Attackers need only purchase a list of usernames and passwords and a toolset (including information like configuration files for online portals and even user support), and they can then start harvesting valuable user data.
How exactly does credential stuffing work?
Hit or miss. Credential stuffing is like a game of chance for cybercriminals. And it takes advantage of the weakest link in online security: the password. These types of attacks rely on the (proven) fact that many users do not create unique usernames and passwords for each new online account. As a result, the return on investment is quite high for these cybercriminals since stolen login data for one service often also gives criminals access to multiple other user accounts and even more data.
Using stolen or purchased login credentials (like those mentioned above), criminals rely on a rotating proxy to test hundreds of thousands of credentials across multiple services. Thanks to the ease and speed afforded by automation, they can do this in mere minutes. Not only is it just as easy as it sounds, many big players have been successful targets. Many of us even personally experienced the effects of data leaks that compromised our LinkedIn, Yahoo, and Dropbox accounts.
These businesses managed to rebound by investing heavily in image and rebranding campaigns. However, the financial, reputational, and legal repercussions of such extensive data leaks and subsequent data manipulation have the potential to cripple businesses with negative press and a loss of customer trust.
How real is the risk?
Many companies may opt to forego added security measures. They cite concerns that added security is not only expensive, it also detracts from the user experience. However, these companies fail to assess the cost of not investing in robust security measures. And they place a great amount of trust and responsibility on their customers’ understanding of online security. This is not only a mistake, it’s a potentially costly one.
Carnegie Mellon University's Security and Privacy Institute (CyLab) conducted a study analyzing user behavior in the event of a data breach. The findings were harrowing. According to the assessment of real-world web traffic, a mere 33 percent of users actually changed their passwords after being informed of a data breach. And that is only for the platform/account directly affected. The likelihood of these users changing their password for all accounts that may have had the same login credentials is most likely even lower.
And what exactly is the return on investment for credential stuffing attackers? According to one study, 64 percent of businesses experience additional cyber crime on Cyber Monday. And the City of London Police reported £16.4m in losses in the UK resulting from online shopping fraud during the holidays. So criminals have a significant amount to gain, which is what makes these types of attacks so attractive. But businesses have even more to lose.
How can you protect your business and your customers?
If the weakest link is the password, then there’s a very simple solution: go passwordless. It might seem counterintuitive to eliminate a unique user security measure. However, technological advances, especially in mobile devices, have led to far more sophisticated approaches to security:
- Biometrics: For a few years now, mobile devices have been able to collect, store, and read biometric features. That means that digital services can base their own security measures on customer information already stored on customer devices. Instead of having a push notification or a prompt for a password, apps and web portals can simply be unlocked with a fingerprint or face scan.
- Multi-factor authentication: The only thing better than one security measure is two or more. Two-factor (2FA) and multi-factor authentication (MFA) ensure that hackers who get past the first layer of security are ultimately thwarted before gaining unauthorized access to user accounts and data. After an initial login process (perhaps with a password!), customers are prompted to provide an additional form of identification: a biometric feature, a single-use TAN, a hardware token, etc.
- Behavior analytics: As mentioned, credential stuffing is facilitated by automation. Meaning: bots are often responsible for carrying out the attacks. The good news is that anomalies in user behavior are easily detectable. Information - like keystroke dynamics (how we type), mouse movements, location, and time - collected by user devices and digital services can all be analyzed to determine if a request is being carried out by a real user or a bot.
- Web application firewalls: These firewalls cater specifically to http traffic and act as a filter of sorts between a specific application and the Internet. By implementing a web app firewall, companies can block access to specific content they deem malicious or risky by creating blocklists and allow lists.
Make Passwordless Security a Top Priority
Customers want the best possible security, but they also want comfort and ease. Requiring customers to type in long and complicated passwords to access their accounts provokes them to take shortcuts. And this makes both their data and your business vulnerable to cyber attacks. Instead, rely on methods that users literally have at hand: their mobile devices and fingerprints (or other biometric features). Not only do these security measures substantially facilitate the login and validation process, they are also nearly foolproof. And added security combined with an improved user experience are what will set your business apart from the competition.
 ZDNET, After a breach, users rarely change their passwords, study finds, 1 June 2020
 ZeroFox, Cyber Monday Breeds Cyber Crime, 20 November 2017
 Finance Digest, FIGHTING FRAUD ON BLACK FRIDAY AND CYBER MONDAY