A type of attack method used by cybercriminals, credential stuffing involves malicious operators employing lists containing user credentials to breach enterprise systems.
These high-volume attacks employ both scale and automation, playing a numbers game where an assumption is made that users typically reuse the same passwords and usernames on multiple systems and services online.
Statistics indicate that approximately 0.1% of all compromised credentials used for attempted access on another system or service will end up with a successful login.
A rise in credential stuffing attacks
Two key reasons are currently given for the rise in credential stuffing as a popular attack vector for cybercriminal penetration.
The first contributing factor is the ease with which malicious operators can gain access to large numbers of breached credentials to use in such attacks. Hackers buy and sell huge databases filled with passwords and usernames on forums found on the dark web. In some cases, these data stores are not even auctioned off but made freely available to the hacker community. Collections released in plaintext on forums have been known to hold billions of password and username combinations.
The second element causing a spike in credential stuffing attacks is that all ever more complex bots are being developed. The sophisticated attack bots are capable of attempting multiple logins that will appear to systems as though they originate from several different IP addresses. With this capability, the bots are able to bypass the simplest security protocols in place that ban IP addresses when they have too many failed logins to their credit.
How to prevent credit stuffing attacks
The following are just some options you can try to circumvent the threat of credit stuffing:
Multi-factor authentication
This is among the best defences against attacks, as bots are unable to offer a requested physical method of authentication such as a smartphone, where access keys are sent. Multi-factor authentication doesn’t have to use a numerical code – it can also be backed up with the physicality of a fingerprint scan, which is something else a bot can’t create.
Ban the use of email addresses in user credentials
To be successful, credential stuffing must rely on the potential reuse of identical usernames and account IDs on multiple services. The likelihood of these attacks being successful increases greatly when emails addresses are employed, so banning their use for this purpose can dramatically mitigate the risk of attack.
IP blacklisting
Hackers will usually have a limited number of IP addresses to use in attacks, so adding these Ips to a blacklist as and when they are identified can be a quick solution.
A secure system at your service
Our secure Galaxkey workspace has zero backdoors and never stores a single password, offering premium protection levels. All data shared, stored or sent on our system can also be effectively encrypted using a powerful solution that is simple to use. If your firm is looking for a safer environment for staff to operate from, contact our professional team today, arrange a free online demonstration and view its innovative features for yourself.
