Account takeover and credential stuffing attacks are two security threats that often go hand in hand. Both have become alarmingly prominent: a recent report found that one-fifth of account openings so far in 2019 have been fraudulent.
Prevent credential stuffing
Credential stuffing is when criminals get access to customer login details, typically by purchasing a list based on a data breach on the dark web. They then use automated login requests to attempt to access various accounts. Since many people use the same passwords for multiple accounts, something will usually work. In an account takeover (ATO) scenario, attackers use bots to test out thousands of stolen credentials. Once they succeed at breaking into an account, they take it over and use it to perform illicit activities like theft, fraud, and data exfiltration.
These types of attacks have significant consequences for companies. Trust and security are essential components of customer retention, so ATO and credential stuffing attacks can lead to customer loss. For example, 80% of US customers will stop spending money at a business for several months if the brand suffers from a data breach. Companies that are hit by these types of attacks also often incur substantial financial damages, with data breaches costing businesses $3.92 million on average.
While all industries should be worried about ATO and credential stuffing, websites that store valuable personal information are generally the hardest hit. Gaming companies, like Epic Games, are frequently targeted because attackers can make a profit by stealing and reselling the virtual goods within gamers’ accounts. Retail companies, financial services, and healthcare organizations also often fall victim to these types of attacks.
How can you avoid being the next Dunkin’ Donuts or TurboTax, which made headlines for suffering from credential stuffing and ATO attacks? Follow these tips:
Use multi-factor authentication
Passwords are unreliable. According to Have I Been Pwned, a database that tracks account breaches, 555,278,657 passwords have been exposed in known data breaches to date. Almost every successful credential stuffing and ATO attack relies on stolen passwords, so one of the best ways to mitigate risk is by requiring users to provide more than a single piece of information to log into their account.
Additional factors for multi-factor authentication could include text or email security codes, a physical security token, biometrics, or security questions.
Rate limit authentication requests
When hackers attempt to compromise accounts via credential stuffing, they often use bots or other similar automated approaches to input thousands of credentials in quick succession. To limit attackers’ ability to do this, IT teams can set a cap on the number of login attempts any single IP address can make within a given period.
Organizations should also establish security policies that lock accounts after a user (or attacker) reaches that threshold — this prevents attackers from attempting to login many times, even if they spread out their attempts. However, keep in mind that attackers will often utilize botnets to get around rate limit restrictions. This tendency means authentication requests can come from multiple sources, so your team needs to pair this strategy with others.
Flag unrecognized devices
Alert customers about new logins
Your customers can be a great first line of defense for flagging unauthorized login attempts. Alert a user when someone tries to log into their account, either via email or text message. This policy will allow your users to discover illicit activity and take corrective action if necessary.
ATO attacks and credential stuffing can be devastating to a business. Every company can and should try to prevent credential stuffing and ATO attacks by creating strong authentication policies, monitoring where login attempts originate from and preventing attackers and bad bots from attempting too many logins. By taking these steps, IT teams will go a long way towards ensuring every login attempt is legitimate, and only real customers and users can access accounts.