#InfosecurityOnline: Tactics for Defending Against Credential Stuffing
A combination of password management, bot detection and traffic visibility can aid in spotting and defeating credential stuffing attacks.
Speaking during the Infosecurity Online event, Jamie Hughes, solutions engineer at Auth0, said credential stuffing attacks are a huge industry problem at the moment and are commonly enabled by single-factor authentication, breached credential lists, password reuse, attack tools and darknet market availability.
He explained that, on many websites and applications, he is typically only offered a choice of a password to authenticate to gain access. “There are some improvements, and some do offer MFA, and I always implement it where I can” but he said someone who is less security savvy may not, and the account can be left vulnerable.
A breached credential list can contain many credentials, which may be out-of-date, and Hughes flagged one website which had over seven billion records from 370 databases. He also said some lists charge a fee to download, and this is where the credentials are more likely to be successful. He said credentials can be collected via multiple means, such as via phishing attacks or via insecure databases, while password reuse is all too common where the average user has 26 accounts and five passwords.
Hughes added: “Targets of these attacks are typically subscription services, as the attacks gain access to the accounts but are typically sold at a lower cost on dark markets.”
As for impact on a company, Hughes said a company’s reputation could be damaged, and the “negative association can last for years” leading to media coverage as well as loss of trust from your users. There can also be a financial impact of the cost to investigate, the suspension of services and the computational costs of handling attacks.
In order to mitigate credential stuffing attacks, Hughes recommended looking at the analytics of your traffic, and also to benchmark your traffic, so you know what the normal patterns are and are able to spot a spike in failed login attempts. He also recommended looking for failed logins from IP addresses, to understand where an attack comes from.
“The main way to defend is through layers,” he said, focusing on three features: multi-factor authentication, breached password detection and bot detection. “We assess all of this traffic, and feed into our engine and see attempts against a user and IP address,” he said. “You can determine in real time if something is suspicious.”
With bot detection, Hughes said you’re looking to block, or challenge, requests, and recommended adding a Captcha as with bot detection you’re looking to slow down those requests before they are processed.
With regards to breached password detection, Hughes said Auth0 keeps a database of common passwords and warns the user if they are using something that is known to be commonly used. For MFA, Hughes said this can be added as an additional step for the user to prevent the attack takeover and prevents the account value from being sold on a darknet marketplace.