Written by: Samantha Cruz, Cyber Operations Researcher, Horangi Cyber Security
The first quarter of 2019 wasn’t good for companies as far as cybersecurity was concerned.
The latest casualty in this current crop of security attacks was none other than Dunkin Donuts (DD), that experienced not just one, but two security breaches (both targeting its customer loyalty program) over the span of three months.
Another victim was social platform Reddit, which saw users locked out of their own accounts until they reset their password, prompted by a “security concern” that compelled Reddit’s admins to enforce additional security measures.
And before that, in December 2018, the international hotel chain Marriott Hotel experienced a breach that exposed the personal information of as much as 500 million of its customers, including payment information. Yet another was Q&A platform Quora, whose brush with attackers exposed the information of 100 million users.
What do these four attacks have in common? All of them had massive amounts of stolen data, and customers were suddenly left vulnerable to their data being used by attackers to gain unauthorised access. How? Through a method called credential stuffing.
What is a credential stuffing attack?
Credential Stuffing is an emerging type of attack that uses automated scripts to try out username/password pairs to gain access to a system. This is however not to be confused with a brute force attack, since no guesswork is done in credential stuffing.
Why is this attack so effective? A survey by Keeper Security discovered that of the 1,000 users they surveyed, as many as 83% of respondents reuse the same password across multiple sites.
In other words, one password acts as a skeleton key for the rest of the locks.
How does a credential stuffing attack work?
The first thing an attacker needs to execute this kind of attack is to get a list of usernames and passwords from sources like a breached system or a password dump site. They then use an account checker to test stolen credentials against multiple websites.
Once they manage to get a successful login, the attacker can then gain access to the account and extract more personal information. They may also use the information for other purposes like sending spam and other kinds of transactions like pass it over to other attackers or sell them on the Dark Web.
Why does one do a credential stuffing attack?
In the words of Martin McKeay, Senior Security Advocate at Akamai and Lead Author of its annual State of the Internet / Security report. “The techniques change, but the motivation remains the same: greed.”
In fact, Akamai detected nearly 28 billion credential stuffing attempts between May and December 2018. Most of them targeted retail sites for one simple reason: that’s where the money is.
What’s there to lose after an attack?
According to a report by anti-fraud specialist Shape Security, the time that lapses between the day credentials are compromised and the day that the breach is reported is an average of 15 months. That is a lot of time for attackers to carry out credential stuffing attacks undetected.
Shape Security estimates an average of 232.2 million malicious login attempts is made per day with 0.05 per cent success rate, or in more concrete terms, there are 116,106 successful account takeover attacks every day with an average of $400 stolen from an account.
The kind of losses that happen, according to their report, also depend on the industry.
- Retail: The US retail industry faces the biggest losses from
tocredential stuffing attacks, losing as much as US$6 billion each year. In fact, 80-90 per cent of retail sites’ traffic arise from these types of attacks. Retail also happens to be an industry that is the most reluctant to enforce the security measures necessary to prevent such attacks, as those measures could cause users to abandon their shopping carts in favour of a smoothuser experience.
- Airline: Frequent flyer miles is a valuable asset that is typically not protected by sophisticated security measures. Since a customer logs on to their frequent flyer account less often than their other accounts, it takes much longer for them to discover theft from account takeovers than it does with other sites. One US airline executive reported that US$7 million is spent each year reinstating stolen miles alone, and the industry as a whole loses up to US$300 million in one year.
- Hotel: Due to the lucrativeness of hotel loyalty points, and the infrequency of user logins, as much as 82 per cent of hotel website logon’s may be attributed to credential stuffing attacks. In the hotel industry brand loyalty is a crucial portion of the business, so fraud involving loyalty points can make a direct hit to the hotel’s revenue. Customers who participate in loyalty programs are among the hotel’s highest-spending visitors, and one account compromise can lead to a permanent loss of customers, and result in more substantial revenue loss over the long term.
- Consumer Banking: Unsurprisingly, it is the banking sector that is one of the most lucrative industries for cybercriminals. The median US savings or checking account holds between US$3,000-US$5,000, which is substantially higher than a typical rewards account. The banking industry, as a whole, can accumulate as much as US$1 billion in financial losses for a single year due to credential stuffing attacks.
How to mitigate credential stuffing attacks
To mitigate credential stuffing attacks, OWASP has proposed the following measures.
- Enforcing multi-factor authentication
- Not using email addresses as the username whenever possible
- Using device/browser fingerprinting to enforce additional checks when new devices are seen attempting to login
Organisations can also monitor for indicators of a credential stuffing attack like:
- Multiple attempted logons from the same IP address
- Higher volumes than normal of traffic from unusual sources
- Unusual flow through the site/APIs indicating use of automation
Apart from the measures given above, organisations can also regularly check if a user’s password has been part of a known security breach and disallow that password to be used if they are.
If you are concerned, you can use this site to check if your email address was part of a known compromise. To prevent password reuse, users can also use password managers that can generate strong passwords on the fly and store them in an encrypted vault. Users should also enforce multi-factor authentication on all their accounts whenever possible.
Say NO to skeleton keys
Like many things in life, prevention is always better than a cure. Unless one aims for their assets to be a free-for-all for questionable elements to use, don’t give them a free skeleton key.
Samantha Cruz is a Cyber Operations Researcher at Horangi. She specialises in cyber research and security tool development. Before joining Horangi, she has worked for Trend Micro as a security analyst and engineer.