28 Nov Credential Stuffing and Account Take Over at Christmas
This week’s guest blog has been written by a long standing friend of Mollis Group who is a current serving CISO for a very well known food & beverage company. There are some great tips in here that can be implemented quickly for both the personal and business user at very little cost.
Credential Stuffing and Account Take Over
In honour of our North American friends, this is not a post about Thanksgiving and Stuffing. While stuffing at Christmas and Thanksgiving is a favourite food on the dish, it actually is quite the opposite feeling if you are hit with it!
What is Credential Stuffing?
Credential stuffing is a cyberattack in which credentials obtained from a data breach on one service are used to attempt to log in to another unrelated service.
An attacker uses lists of Usernames and Passwords with automation tools to gain access to popular sites in order to sell on the dark web.
The uptick of public acknowledgements of Credential Stuffing and Account Take Over breaches have increased exponentially over the last year and the threat continues to grow.
As recent as Nov 28th 2019 TFL (Transport For London) locked all user accounts and reset all customers password stating “TfL became aware in August 2019 that a small number of customers had their online accounts accessed maliciously”
“TfL believes that this occurred after their login credentials were compromised when using non-TFL websites – commonly known as ‘credential stuffing’.”
Another high profile launch of a service was a target of Credential Stuffing. Within hours of the launch of Disney + Streaming service 1000’s of accounts were available on the dark web for sale between $3-$5.
Sold accounts had passwords and email addresses changed locking out the legitimate users. The untold tally of how many people were affected is still unknown, however, from a brand reputation damage has already been caused.
How big is the problem? ITS BIG! Over 9 BILLION accounts have been reported breached/pwned on the popular HaveIBeenPwned (https://haveibeenpwned.com/) Website
Over 416 Websites are affected and sources of these accounts. The number is estimated larger as some breaches go months on the dark web before being disclosed publicly.
According to Infosecurity Magazine https://www.infosecurity-magazine.com/news/credential-stuffing-costs-firms-4m/ costs could be as high as $4 Million Dollars per organization based on Downtime, Lost Customers and Extra IT Security and follow on fraud activities.
How Can I Protect Against Credential Stuffing and Account Take Over
The root cause of Account Takeovers by Credential Stuffing is human nature to reuse passwords. The question is how do protect ourselves from becoming a Victim and how to protect Systems
• Do not reuse Passwords
• Use Strong/Complex passwords –
o Auto Generated
o Containing Numbers, Symbols, UpperCase and LowerCase
• Use a Password Manager – With a strong access password
• Use 2FA – Two Factor Authentication
• Use MFA – Multi Factor Authentication
• Use and Register for HaveIBeenPwnd
o Free service for notifications if your user name has been leaked
o Additionally shows what types of information (Passwords, Addresses if any) have been part of that breach
• Implement reCaptcha Services
• Enforce Password Complexity Requirements
o Minimum amount of Characters – 10 +
o Must contain UpperCase, LowerCase, Symbols, Numbers
o No re-use of any last 10+ Passwords already on the system
• Password Leaked Check
o Upon account creation or password update – use third party services to ensure that the combination of Username and Password have not been leaked before.
• Password Strength Meter
o Gamify the account signup process – By giving an individual a RED score for a weak password, GREEN for strong password.
o Education for users for online Security and Privacy within your platform
• Fraud Analysis Tools – FingerPrinting
o Use a third party addon to services to review in real time transactions on your application to prevent fraud
o Machine Learning Tools that are able to profile people and patterns
o In Terms of GDPR ensuring collection of data is disclosed and for a legitimate purpose
• Set up risk-based authentication.
o Risk-based authentication (RBA) calculates a risk score based on a predefined set of rules. These would be related to a login device, IP reputation, user identity details, geolocation, geo velocity, personal characteristics, data sensitivity, or preset amount of failed attempts. In the case of high-risk scenarios, you should consider using this customizable password security solution.
• Web Application Firewalls
o Tuning of Firewalls and features to thwart attack Vectors
o Blocking of TOR nodes at the edge of the network
• Business Logic
o Updating business logic rules i.e. If your app/website serves customers in one Geographical Area – Block the remaining countries regions that may not have a legitimate reason to use your services.
o Allowance and throttling of account creation or Transactions from a certain IP with a certain time period
o Track Login Success/Failure Ratios – BenchMarking
o Automatic Password Reset Functionality
• Block Headless Browsers
o This blocks some malicious bots and tools
• Notification Services for Users
o If Users login from a new device, or new country – notification to users
o If Users change email address, or password – notification to users
All the recommendations above are no clear way to stop Credential Stuffing and Account Take Overs, however, placing some or all will help minimize the impact and monetisation of ATO’s on your app or site.
Ultimately to have users change behaviour will take time and education from the industry and awareness for the problem to go away.