Charlie Maclean-Bristol discusses credential stuffing, a type of cyber attack which you should be looking out for!
“The irony of credential stuffing is that organisations that have not suffered a direct data breach often become indirect victims when their users’ accounts are compromised due to someone else’s data breach” Debbie Walkowski, F5 Labs.
I like to try and use my browser to save all my passwords, as I have recently been trying to change all my log in passwords so that I have a unique one for each site. This is because every time I go to use the same password, my browser keeps reminding me that that password has been compromised. I was aware that you should not have the same password for every site, but I didn’t really understand the cyber implications until I read about ‘credential stuffing’.
What I didn’t realise until I had done some research is that there is a whole criminal industry around the use of compromised passwords. On the dark web, you can buy millions or even billions of usernames and passwords. These have come from previous hacks on a multitude of different companies and organisations, such as Yahoo, who in September 2016 announced that a hack had compromised 3 billion user accounts. These lists are then used by criminals to see if they can get into accounts where the compromised username and password have been used. As shown in Figure 1 below, these attacks are automated, so the attacker will use bots to try the compromised passwords against a range of selected sites. Executing this attack, requires very little IT knowledge, as the software to do so and the bots are available all for a ‘modest’ fee.
Figure 1 – How attacks take place, Cloudflare
According to Cloudflare, the success rate for finding an account which can be compromised is 0.1%, so for every 1000 accounts tried you should be able to get into one account. If you are using data sets of millions, then you will have a number of successes. Dunkin Donuts admitted in 2018 that they had two credential stuffing attacks and that of their 10 million accounts, 1200 accounts were compromised. The timescale of the data used matters, as the older the data, the more likely that users have had to change their password, as their account may have been compromised before. Secondly, there are sites such as ‘haveibeenpwned.com’ and several commercial sites which keep lists of compromised usernames and passwords, so it is quite easy and free to check if your passwords have been compromised. Organisations may also use these lists to check your password when you sent up an account and won’t allow you to use a compromised password combination.
Some cyber criminals will steal the data themselves and then will keep the list to themselves and quietly try to use the combination to conduct fraud. By stealthily using the list and not making them known to others, they can avoid sites like ‘haveibeenpwned.com’ knowing that the combination has been compromised. Only when they have exhausted their use of the list will they pass it on to others. We are more conscious about a cyber hack on our organisation and data extraction from a ransom demand, but with a credential stuffing attack, the attackers do not want you to know that your data has been compromised, so you may not know that information has been stolen from your organisation.
The information stolen can be used in a number of different ways:
- Accounts where you can order goods can be compromised and then access to those accounts can be sold, allowing for the attacker to either order goods or services, such as fast food, using the credit card associated with the account for a brief time.
- Financial fraud can be perpetrated if hackers have access to your bank account, online investments or gambling sites.
- They can use access to an account in order to access other parts of the organisation. If the compromised account has administration rights, then the hackers can use them to get further access into the organisation they are hacking. In October 2016, attackers gained access to Uber systems and were subsequently about to access 32 million non-US users and 3.7 million non-US drivers though credential stuffing.
- The data within the account can be harvested, such as name, address, contact details and credit card details.
- Information from compromised accounts can be used to try and perpetrate data ransom. “On the 20 August 2018, Superdrug in the UK was targeted with an attempted blackmail, evidence was provided claiming to show that hackers had penetrated the site and downloaded 20,000 users’ records. The evidence was most likely obtained from hacks and spillages and then used as the source for credential stuffing attacks to glean information to create the bogus evidence”.
The impact on your organisation can be severe if this happens to your customers. For example:
- You may have to increase security by making customers change their password, use mandatory two-part authentication or use a CAPTCHA which makes it more difficult and time-consuming to log onto your site and buy your goods. They may leave your site to go to another which offers the same services but with easier access to their account.
- If fraud has been perpetrated on your site and goods have been bought on a customer’s account, then the customer can get into a dispute with the company about a refund. Who is going to pay, the organisation or the credit card company? Secondly, claiming the money back may be time consuming and torturous, which will further upset the customer. If lots of customers complain then this can be picked up by the media and can become a reputational issue.
- Customers closing their accounts and or moving to a rival.
- Use of the details to steal further data from your organisation. “Zoom fell victim to a credential stuffing attack, which resulted in 500,000 of Zoom’s usernames and passwords being exposed on the Dark Web. Cyber-criminals used compromised credentials from past breaches and compiled successful logins into lists to be sold online”.
There is an excellent report by F5 Labs which contains lots of details and information on credentials stuffing and has a good list of the many ways organisations can prevent this from happening. The report can be found here.
This is a serious cyber threat, especially to large B to C organisations, but it could happen to anyone. If you are setting up a new organisation or app, you need to think through how you might prevent this type of fraud happening. With bots, lists and software easily available to conduct this type of attack, it is fairly simple and due to the number of accounts involved it is likely that the attackers will find accounts to compromise. I think you need to monitor the instances of this within your organisation, especially if you have a large number of customer accounts. You should have a plan in place to respond if a large number of accounts are compromised or this becomes a reputational issue.