Credential stuffing is on the rise, and it’s becoming cheaper and more accessible to bad actors.
Credential Stuffing is the mass-scale automated testing of breached username and password combinations across multiple websites. When successful matches are discovered, attackers use these logins to take over the account for fraud or to resell the confirmed credentials to others to commit fraud.
This form of attack is now the single largest source of account takeover fraud on most major websites and mobile applications. The ever-happening data breaches and client’s re-utilization of passwords across different accounts create the perfect storm for this type of ATO attack.
Hackers can achieve a success rate of up to 2-3% when reusing stolen credentials, according to our data scientists. This rate is particularly high considering they can purchase personal data by the million for just a few thousand dollars.
How much does this attack cost?
The low barriers to entry make this type of fraud accessible to a broader range of bad actors including those less experienced ones. According to Digital Shadows, a credential stuffing attack can cost anywhere from $10 to $2,330. Purchasing credentials is the priciest item, ranging from $4 to $2,280. “One of the most comprehensive (credential) packages cost $2,999, claiming to give you 3,825,302,948 credentials from 1,074 databases,” Digital Shadows said. The rest of the required software is either free or just a few bucks.
To make credential stuffing harder to detect, fraudsters are able to maintain the average request rate low by using large networks of proxy servers. This way, they can keep the request rate from a given IP to an average of less than one per hour. According to Akamai’s researchers, “attackers are using a vulnerability in many IoT devices to amass these networks of proxy servers;” yet another issue of the thriving IoT we talked about last week.
How does it work?
But how do they do it? What software do they use? There is a wide variety of programs with different levels of sophistication available online. Vertex, Account Hitman, and Sentry MBA are some of the most popular ones, with Sentry MBA at the top of the podium.
How to fight it?
In the light of this software refinement, many companies point at multi-factor authentication (MFA) as a way to solve some of the credential stuffing problems, but it is far from being a panacea. For instance, in January 2017, a security vulnerability in the networking protocol used by cell phone providers was identified and exploited, enabling attackers to gain unauthorized access to customers’ bank accounts, bypassing MFA.
Companies need a different approach to the fight against credential stuffing and ATO. With new multi-layered technologies that include behavioral biometrics, companies can identify their clients not only by their credentials, one-time codes or tokens, but also by monitoring the intricacies of how they behave, their actions, their history, and more.
Behavioral analytics coupled with passive biometrics create a unique digital profile of each user that can’t be replicated during a credential stuffing attack. With this multi-layered approach that looks at the human behavior, fraudsters’ stocking stuffers will have nothing but a bunch of “declined authentication” messages, while you enjoy your holidays, eggnog in hand.
Related to this post: Automation is the Engine of Identity Crime
Want to learn more online authentication? Watch In a Breached World, our webinar featuring Forrester.
Want to read more posts like this? See our full blog here.