Identity attack attacks pose a significant risk to consumers and businesses. Learn how they work and what you can do about it.

Image: peshkov, Getty Images / iStockphoto

There is no shortage of threats on the internet, which puts end users at risk and keeps cyber security and IT professionals busy. Credential stuffing is such a risk that can pose a major danger to consumers and business employees.

SEE: Checklist: assessment of security risks (TechRepublic Premium download)

I spoke with Sumit Agarwal, co-founder and COO of Shape Security, a cyber security organization about the concept. Agarwal served as Deputy Assistant Secretary of Defense under President Obama.

Scott Matteson: You came up with the term “credential stuffing” in 2011 when you were at the Pentagon. What is credential stuffing?

Sumit Agarwal: That’s right. While serving as Assistant Assistant Secretary of Defense, I saw very complicated cyber attacks that affected publicly visible military websites. I realized that it was only a matter of time before the attacks affected the average person’s online accounts. I called these malicious attacks “credential stuffing.”

Credential stuffing is the armament of stolen login data (usernames and passwords) against websites and mobile applications. Lists of login data that have been stolen from one website are checked against the login pages of other websites to gain unauthorized access to accounts, to commit fraud.

The most remarkable aspect of credential stuffing is that a certain company does not have to be violated to suffer from credential stuffing. The vulnerability is simply having a login form and users.

More than 15 billion stolen reference pairs are in the hands of cyber criminals. Criminals can steal login information themselves or, more likely, purchase it on the Dark Web.

Scott Matteson: How does it work?

Sumit Agarwal: Most consumers use usernames and passwords again for different web and mobile applications. This is capitalized for filling up references.

First, let’s discuss the cause of the problem: consumers are drowning in security complexity. After many, many years of advice on the complexity of passwords (uppercase, lowercase, numbers, special characters, etc.), consumers have responded by selecting only a few passwords that meet all those complexity requirements and then re-using those passwords on many websites use.

Although this practice is terrible from a safety perspective, it is understandable. When large companies ask too many consumers, they respond by finding ways to simplify their lives. So this is the background for filling credentials: a lot of complexity of passwords, many consumers who survive by creating a few conforming passwords and then reusing them on average over more than 30 accounts.

Next, it is important to understand that filling credentials and other automation attacks on web and mobile applications is an economic endeavor for cyber criminals. They work as companies, aim for specific profit margins, and there is a fully underworld industrial complex that has been developed to support their criminal attacks.

Credential stuffing is a volumetric attack: the attackers know they will achieve a success rate of more than 1 in 100 (which may sound low for the average person, but if you multiply with 10M attempted credentials, this will result in 10,000 successful account transfers, which is easy worth $ 100 to $ 1,000 each).

To serve the economic objectives of the criminal attackers, the criminal industrial complex has developed three elements that support their attacks:

  • Affordable login details, usually stolen by large-scale data leaks and then sold to criminals on the Dark Web. In January 2019, billions of stolen login details were posted on the Dark Web for free download in a cache called Collections 1 to 5.

  • Specially built attacker tools or reused QA tools that automate the process of machine-specific login data for web and mobile applications. Examples of toolkits for login data are Sentry MBA, Wget, cURL, PhantomJS, Selenium and Sikuli. Most attack toolkits are free or very cheap, and also offer pre-built configuration files that customize attacks for specific popular sites and apps for just $ 50 per site.

  • Botnets and other simulated network infrastructure, so that attack traffic appears to be organic from real users in a “normal” geographic area (for example, the Western United States), rather than all from one IP address in Ukraine or the Philippines.

The automation offered by these components is the key to the criminal economic model for filling references.

Shape beats the economy for cyber criminals, which means that filling up references and other automation attacks is prohibitive for criminals to keep on protected websites and mobile applications.

Scott Matteson: What are the goals and motivations behind it?

Sumit Agarwal: Economic benefit through theft, fraud and fraud. A study estimates that the proceeds from cyber crime will hit $ 1.5 trillion in 2018. This is a very shadow economy that is larger than many legitimate nation states.

Scott Matteson: Where is this threat most common?

Sumit Agarwal: As an economic enterprise, cyber criminals attack where the money is. The threats are most common in large B2C verticals, including financial services, retail and e-commerce, travel and hospitality, telecommunications, media, government, social media and entertainment.

Scott Matteson: Who is behind the threat?

Sumit Agarwal: Cyber ​​criminals are behind the threat. These criminals usually operate outside the United States, with a prevalence in developing countries.

Scott Matteson: How should companies protect themselves against this?

Sumit Agarwal: Here are four things that companies can do immediately to protect themselves:

  1. Realize that you are likely to be at risk – or already being attacked – if your web or mobile applications offer an opportunity to buy or exchange value.

  2. Check your business statistics for signs that you may experience all of your data or other automation attacks, including poor or falling login success rates, high password reset rates, or low conversion rates for traffic to success.

  3. Analyze the hourly pattern of traffic to your login and other attacking URLs for traffic peaks or volumes outside of normal human opening times for your markets: real users sleep, automated attacks don’t.

  4. Receive infosecurity, fraud and digital teams in a room to discuss the possibility of automation attacks, current fraud trends and digital statistics.

Cyber ​​Security Insider Newsletter

Strengthen the IT security of your organization by staying up to date with the latest news, solutions and best practices for cyber security.
Delivered on Tuesday and Thursday

Register today

Also see

Similar Posts

India releases its Arctic Policy

New Delhi, March 17 (IANS) Joining an elite group of countries working on various aspects of Arctic, India on Thursday released its Arctic policy “India and the Arctic: building a…

Leave a Reply