Credential Stuffing Defense

Credential Stuffing Defense

Credential compromise is a cyclical issue. It begins of course with the theft of credentials such as user IDs, email addresses and passwords. Then the credentials are often released, a process known as spilling, onto the dark web. Finally, the credentials are then tested in large volumes against a particular digital application, known as credential stuffing.

Credential stuffing is a serious issue across industries today as it impacts consumers and the businesses which serve them. Credential stuffing results in account takeover and hard dollar losses, customer lockouts, calls by the true consumer to call centers, reputational risk, skewed traffic reporting, and internal resource manpower to research the root cause of the issue.

Credential stuffing often involves mass testing of stolen login IDs and passwords using bots to automate the process. Bots are software applications that use automation to perform repetitive tasks often at a high rate of speed. With respect to credential compromise, bots are used to attempt account logins against digital sites and applications using stolen credentials.

Bots Are Challenging To Detect

Bots impersonate legitimate devices, making them more difficult to detect. They may mimic typical device configurations and often rotate their IP address for every attempt. They will often operate on known browsers, like Chrome or Safari, to mimic user behavior. Leveraging a large group of ordinary machines, whether desktops or mobile devices, also makes bots more effective.

There are many other techniques used by bots to evade detection. For example, bots attacking the US will be engineered to make their traffic appear to originate in the U.S., while actually originating in a foreign country. Bots are also increasingly growing more sophisticated – they can hold onto cookies, load JavaScript, randomize their headers and user agents. And they use various different methods of accessing sites such as browser automation tools, headless browsers, via man-in-the-browser malware, executing JavaScript, etc.

Bot Detection Techniques

There are a variety of techniques, both low and high tech to identify and screen-out bots.

Simpler detection techniques involve monitoring for a spike in site traffic, an increased number of visits in a short period of time. Other occurrences to monitor include a higher-than-usual login failure rate and of course downtime precipitated by increased site traffic.

Also, organizations should employ velocity detection, which is a spike in traffic generated by one device. These solutions work by flagging devices that are used to perform multiple unusual behaviors (usually at a high rate of speed). If a device performs multiple login attempts on multiple accounts over a short period of time, this could signal the use of a bot.

However, many of these bot detection tools are not always effective because they rely on IP addresses or cookies in their model, and sophisticated bots change their IP address continually or clear/disallow cookies. Sophisticated bots require more sophisticated screening technologies that use both static techniques, such as detecting the presence of malware on the device, and a more complete behavioral analysis—detecting a high number of attempts, a high number of failures, unusual traffic patterns, unusual location or repeated attempts from the same location, unusual speed of access attempts—that is more accurate and not so easily fooled.

Aside from bot detection, deploying security solutions that employ multi-factor authentication (MFA) paired with real time device risk intelligence is also a smart strategy for detecting and preventing credential theft and stuffing. And of course, biometric solutions that facilitate a shift away from traditional password reliance offer the strongest level of identity verification and remove the credential as a weak link in the authentication chain.

Credential compromise will continue as long as credentials are used for authentication, and therefore we will continue to endure credential stuffing attempts. It’s essential that security professionals employ every weapon in their arsenal—from monitoring, to bot detection, device authentication, identity verification and malware prevention solutions—to avoid costly financial and reputational damage.
About the Author

Michael Lynch is InAuth’s Chief Strategy Officer and is responsible for developing and leading the company’s new products strategy, as well as developing key US and international partnerships. He brings two decades of experience in key roles within financial services, consulting, and Fortune 500 companies, specializing in security and technology leadership.

NORTH AMERICA

Headquarters

376 Boylston Street, Suite 501
Boston, MA 02116
+1.855.801.0774

West Coast Office

227 Broadway, Suite 200
Santa Monica, CA 904011

EMEA

Belgrave House
76 Buckingham Palace Road
London, SW1W 9AX

LATIN AMERICA

Eje 5 Norte 990, Building C, 1st Floor
Santa Barbara, Mexico City 02230
+52 (55) 52097037

ASIA PACIFIC

Australia

Level 9, 12 Shelley Street
Sydney, NSW, Australia, 2000
+61 2 9152 2851

Level 14, 360 Collins Street
Melbourne, VIC, Australia 3000
+61 3 9152 2851

Singapore

Level 15, Marina Bay Financial Centre
Tower 1, Singapore 018940
+65 6317 6414