17 Aug 2020 • 10 min read
17 Aug 2020 • 10 min read
Credential stuffing abuses the most sensitive gateways of your website, such as the login and payment page.
With bot's evolution, these attacks are getting more recurrent and sophisticated. Credential stuffing causes reputation and funding loss. It hurts online businesses by affecting customer lifetime value, reputation, and revenues.
How to prevent credential stuffing and provide the best security to your website?
Credential stuffing: an automated process of filing login and password for fraudsters to gain access to user accounts. Credential stuffing is a form of brute force attacks and a popular method of account takeover.
Kayo.moe - a free, open-source, anonymous hosting service that found out a large amount of personal data on its servers.
The data turned out to be lists of credentials to use for credential stuffing and further ATO attacks. Later on, the platform submitted them to cybersecurity experts.
Technically, credential stuffing is not a data breach per se. The process itself does not involve hacking databases to get the information.
Credential stuffing is the aftermath of a data breach. The breached data falls into the wrong hands and is used to gain access to user accounts.
However, General Data Protection Regulation or GDPR, a regulation in EU law concerning personal data protection and privacy states:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” is considered a personal data breach.
Thus credential stuffing is regarded as a personal data breach in the EU and must be reported accordingly.
Credential stuffing and password spraying are very similar by nature. The only difference is in password spraying.
They use several passwords for trying to get access to websites. In the case of credential stuffing, it is one credential used in different websites.
Credential stuffing is considered one of the forms of brute force attacks. Nevertheless, they do have differences.
Brute force is an attempt to guess passwords without any data input, hints, or clues. Its basic random usage of letters, numbers, and symbols is often combined with common password samples.
Credential stuffing uses already obtained clear data, which reduces the number of possible variations to just one.
Credential harvesting utilizes MITM attacks, DNS poisoning, phishing, social engineering, and other methods to obtain a large number of account credentials. After that, fraudsters can proceed to credential stuffing.
Since credential stuffing is a bot-operated attack, there are only two options in avoiding it:
Credential stuffing is normally conducted in a very slow and secret manner so it is hard to detect, it is characterized by:
Credential stuffing mitigation is a complex process that requires powerful solutions in the bot management industry such as:
Bot management solutions allow you to detect and mitigate bots at all website entries. However, this solution is quite pricy.
2-factor authentication or multi-factor authentication is a good solution. It adds another layer of verification except for login credentials, such as SMS code, e-mail code, or a fingerprint for a mobile application, which is hard to imitate for bots.
However, the e-mail code option may not work if the ATO attack compromises the e-mail, and you haven't set up backup mail.
Advanced AI-based CAPTCHA is one of the strongest fighters against account takeover attacks. Its behavioral analysis, environmental analysis, and the least user friction provide the most effective solution against bot attacks.
Why are we telling you all of this?
Well, because credential stuffing prevention is vital for your reputation, revenue, and, consequently, your business growth. Ignoring this issue is dangerous both for you and your customers.
Credential stuffing is a part of the account takeover process. Having these issues at hand urges you to provide better security for your website or application and choose safety measures at once.
Protecting your website gateways with strong security solutions will save your customers from hackers and bot attacks and provide the best user experience.
GeeTest provides a high-security level to both websites and applications using environmental and behavioral recognition systems to detect and mitigate bots with the least user friction providing the best user experience in the process.
Subscribe to our newsletter