Catapult Tech Solutions Blog
Are You Sure Users’ Credentials Are Protected?
You have probably noticed it happening more and more lately: Online accounts get taken over in droves, but the companies insist that their systems haven’t been compromised. It’s maddening, but in many cases, technically they’re right. The real culprit is a hacker technique known as “credential stuffing.”
The problem has been on the rise. Recently hackers have posted more gigantic, aggregated credential collections that comprise multiple data breaches. One of the wildest recent examples is known as Collectio0n #1-5, a “breach of breaches” that totaled 2.2 billion unique username and password combinations, all available to download in plaintext—for free. Another outlandish trove has provided exactly the type of fresh, high-quality credentials hackers cherish. Posted on the Dream Market dark web marketplace, the collection includes a total of roughly 841 million records,released in three batches, from 32 web services. The first part of the dump costs about $20,000, the second about $14,500, and the third roughly $9,350.
What Is Credential Stuffing?
Credential stuffing is the automated use of collected usernames and passwords to gain fraudulent access to user accounts. “With all of the massive credential dumps that have happened over the past few years, credential stuffing has become a serious threat to online services,” says Crane Hassold, a threat intelligence manager at the digital fraud defense firm Agari.
How Does Credential Stuffing Work?
A cybercriminal creates a breach of security for a large corporation. For example, a large department store. The cybercriminal now has access to the usernames and passwords of all the store’s online users. The cybercriminal then uses these usernames and passwords on multiple other sites, hoping that someone from the department store is using the same username and password somewhere else.
A cybercriminal uses credential stuffing tools to make this possible. The hacker does not manually enter all the usernames and passwords into all the sites. In addition, most web services have rate-limiting protections in place so that no one can attempt massive numbers of logins all coming from the same IP address.
Cybercriminals grab credential stuffing tools from the dark web or malicious platforms. These tools make massive numbers of login attempts on numerous sites all at the same time. They also bounce all of the login requests through proxy lists that make them look as if they are coming from multiple IP addresses rather than one. In addition, these tools make the attempts appear to be coming from varied web browsers so that they are less suspicious. They are even able to offer integrations that are built to defeat Captcha options on account logins.
Credential Stuffing is still a tedious process and requires patience. It is found that cybercriminals are able to successfully match a username and password from one account to another less than 2% of the time. This is why they need thousands or millions of pairs to try. Even though 2% is a small amount, no one wants to take the chance to be part of that group!
How Can We Safeguard Against Credential Stuffing?
The number one way to protect users against credential stuffing falls on the user. Unfortunately, we have all been guilty of using the same username and password across multiple platforms and sites. We also do not regularly change passwords. This is what makes credential stuffing effective. The cybercriminal gains access to the username and password of one account and applies it to multiple sites. As an organization it is essential that you set up a policy for your employee and customer users that requires good password hygiene. Catapult Tech Solutions pros has the experience you need to develop policies that will encourage data safety.
Another tool to protect users from credential stuffing is using two-factor authentication whenever it is available. The easiest way to implement two-factor authentication is with SMS. You receive a text with an access code every time you try to log into a secured account. While certainly better than nothing, getting your two-factor authentication from SMS has plenty of potential downsides. Specifically, it leaves you exposed if someone hijacks your smartphone. By stealing your phone number, hackers can redirect any two-factor notifications to their own devices, allowing them much easier entry to your accounts. The good news – Most accounts you use today already offer stronger two-factor authentication. At Catapult Tech Solutions we can help you set up two-factor authentication for your users’ accounts; both for your employee accounts and your customer accounts.
A properly designed password manager is another excellent tool to prevent credential stuffing. It can create a unique strong password for every account a user is connected to, without requiring you to memorize or write down these random strings of characters. These strong passwords help shield against success in credential stuffing. Some top password managers store your credentials locally, while others rely on cloud services for storage and synchronization. Others take a hybrid approach. The majority of them store your password data in the cloud, but the data is encrypted using advanced encryption methods and the master password you define. This means that the password management solution couldn’t easily decrypt your data even if they had the desire. Catapult Tech Solutions makes it easy to set up a password manager for your users.
The bottom line is that you want to prevent your users from being credential stuffed and Catapult Tech Solutions can help you do it! When security is a concern, call us at 317-522-1299.
Are you on Facebook? We are, too. Let’s be friends!