Credential stuffing is the automated injection of stolen username (typically emails) and password pairs in order to gain unauthorized access to user accounts. Using automation tools, large numbers of compromised credentials are automatically entered into an application (typically a Web application) until success is achieved. Once account takeover is achieved, account data can be stolen, fraudulent transactions initiated, or the account can be used for other nefarious activities.
An important enabler for credential stuffing is the tendency of users to reuse passwords across more than one application. As a result, compromised credentials from one application can be used to access other applications.
Credential stuffing attacks can involve the use of botnets that use automated scripts to try to access an account until a legitimate set of credentials permit the hijacking of at least one account.
Credential reuse is a problem for many organizations. Users inundated with requirements to supply complex passwords to different systems often resort to reusing the same password across multiple accounts so that they can easily manage their credentials. This can cause major security issues when those credentials are compromised.
In a credential reuse attack, the attacker is able to obtain valid credentials for one system and then tries to use the same credentials to compromise other accounts/systems.
There are multiple ways to try to detect a credential stuffing attack.
• Monitor for abnormal amount of login attempts to an account from a single endpoint.
• Monitor access attempts to multiple accounts from a single endpoint.
• Detecting known malicious endpoints attempting to use the credential via their IP address or fingerprinting techniques.
• Detecting the use of automation software in the login process.
• Remove credentials based login and replace with passwordless authentication
OWASP outlines 5 defense options to prevent credential stuffing attacks.
Defense Option 1: Multi-Factor Authentication, which means access to an account requires more than just a simple password.
Defense Option 2: Multi-Step Login Process, which requires the attacker has to do more work to understand if the credentials used are valid or not.
Defense Option 3: IP blacklists, which requires the attacker to constantly change its IP address.
Defense Option 4: Device Fingerprinting, which allows tracking the identity of the connecting device even when its IP is changing.
Defense Option 5: Disallow Email Addresses as User IDs, which means the attack now needs not only a valid password, but also a valid username for the specific application.
Stolen credentials are routinely sold on the open internet and dark web. They are obtained by sellers using various forms of attack – from phishing to malware, to large-scale data breaches.
Credential stuffing attacks are routinely and continuously carried out, primarily against financial institutions.