Stolen credentials and the resultant credential stuffing are real and growing cyberthreats underlying a majority of vulnerabilities, says this expert.

While data breaches garner significant attention in the region, less has been said about how technology has evolved to thwart these attacks. Many security teams are unaware of tactics at their disposal to stop fraudsters in their tracks. 

In the early days, brute-force attacks guessed passwords in a series fashion to try to identify the correct one. It takes forever, is expensive and not very effective, and is easy to mitigate because you can see massive spikes in activity and just block them. Then password lists became popular: instead of just guessing at it, hackers would have massive lists of common passwords and try to brute-force versions of them. 

In recent years, a key development has been the use of botnets and automated tools. Traditionally, brute-force attacks are easy to mitigate, but once you spread them across a huge number of bots— where each bot has its own IP and most are recycled from residential IP addresses (not blacklists)—one bot sending five requests every 10 minutes does not look that suspicious. 

Multiply that by 10,000, and you are getting somewhere; and the victim site does not really notice. It is not like your company’s internal records are one day posted on the internet. It is a slow attrition of user accounts that you may not be aware of. How does this happen?

The hacker supply chain

In most cases of cyberattacks, identity is not just the safe—it is the keys and the crown jewels. According to the 2020 Verizon Data Breach Investigations Report, the use of stolen credentials is one of the most common methods used in observed data breaches. In APAC, 30% of hacking attacks used stolen credentials or exploited vulnerabilities against web applications.

We know people are reusing their passwords. So, hackers simply take credentials leaked in data breaches and try them against other sites. They do this in an automated fashion that is called a credential stuffing attack, so that they can try thousands of credentials over time. It is really a numbers game. If just 0.01% of a massive list of credentials are reused on a second website, you can still take over a significant number of accounts. 

The resulting fraud can range from everyday purchases of goods, gift cards or voucher codes at e-commerce firms, to fraudulent use of loyalty programs. While the theft of insignificant amounts of money from companies means they often go unnoticed, the cost to the business can add up. According to a study by the Ponemon Institute, credential stuffing attacks in the region cause costly application downtime, loss of customers and involvement of IT security that can result in an average cost of US$1.2 million, US$1.5 million and US$1.1 million per year, respectively.

Strengthening your defense layers

If you really want to defend against credential stuffing attacks, you have to think of security in layers. If you see a huge spike in failed logins, that is a tell-tale sign of a credential stuffing attack. If you are getting traffic from IP addresses that we know are associated with known threat actors, you will want to block them or institute some kind of CAPTCHA to help mitigate bot activity. You need these first layers of defense.

Then comes the next layer: good security hygiene—like testing for known, breached reusing passwords among your user base—is important. Then multi-factor authentication (MFA) is a third layer of defense. If you have all three, you are in pretty good shape, and you can minimize friction for users by prompting MFA only when an action is deemed suspicious.

As security professionals, we need to take mitigation techniques like MFA and make them more customer-friendly. In an ideal world, a customer would only need to encounter multiple actions when it is necessary. Instead of triggering MFA every time a user logs in, trigger it only when it makes sense. If you are an Australian company and most of your user base is in ANZ, but you see huge spikes in traffic from Vietnam or Thailand, for example, ask for additional verification.

Businesses across the public and private sectors are just starting to wake up to the real threat posed by credential stuffing and the costly consequences of an attack. Protecting identities from these attacks and creating as secure an environment as possible should be front and centre of any cybersecurity strategy.