stopping credential stuffing attacks

Why stopping credential stuffing attacks is so difficult for businesses

Last week, we learned that Npower, one of the largest energy firms in the UK, has been hit by fraudsters. As per the news, the criminals managed to hack into some customer accounts, and stole their financial and personal information.

The attack took place through the Npower mobile App, which has now been scrapped permanently.

As per Npower, criminals accessed customer accounts by using login credentials that had been reused on other websites. Criminals used login data stolen from other websites, and carried out a ‘credential stuffing’ attack to break into customer accounts.

What is credential stuffing?

The attack relies on our habit of reusing passwords for several services. First, criminals either, buy or steal passwords and login IDs obtained by hacking other websites; then, they use the obtained data to find the correct combination that would grant them access to the targeted user account.

Unfortunately, such attacks are carried on a large scale, and they use millions of login ID and password combinations. In fact, some criminals use passwords that could have been stolen a decade back as well. Thus, if you have reused a password, the criminals will gain access to your accounts eventually.

Why is credential stuffing so dangerous?

Once criminals gain access to your account, they can use it for any number of illegitimate purposes, including fraudulent bank transactions, buying gift cards, stealing your identity, or they can use your account to launch similar attacks. In fact, some criminals re-sell the login details of a hacked account after exploiting it. So, one successful credential stuffing attack can pave the way for more attacks on your account and business.

At a business level, you should not neglect even one compromised account. Even with one account, criminals can steal sensitive data, disrupt your services, carry out BEC scams, or infect your organization with ransomware.

Why stopping credential stuffing attacks is so difficult for businesses

You need to take the task of protecting your account from credential stuffing seriously. Unfortunately, protecting against the attack isn’t an easy task. This is because criminals resort to sophisticated tools for such attacks, including software that uses hundreds of victim IPs to mask their presence.

So, how can you defend yourself against credential stuffing? First, let’s explore why criminals are able to steal login data. This information would help you understand the existing risks, and how you can defend yourself from credential stuffing.

  1. Single-stage authentication

Unfortunately, even though multi-factor authentication is now widely available, still there are people who continue to follow the practice of single-stage authentication.

To put it simply, they use a single step, or just the login ID and password combination for accessing their accounts. This is because criminals use automated software that try millions of login ID-password combinations to crack your account.

So, if you haven’t set up multi-factor authentication, then you have made the job hacking your account easier.

  1. Reuse of passwords

The habit of using a single password for different services may feel comfortable, but it’s a dangerous practice. For instance, even if you have set a strong password for your bank account, but if you’ve also re-used the password on your insurance website, then, a data breach at your insurer would lead to the hacking of your bank account as well.

This is because criminal activities don’t get discovered instantly. For example, the data breach at Marriott Hotels that started in 2014 and exposed personal data of about 500 million customers, wasn’t discovered until 2018.

Additionally, the criminals may have stolen the passwords that you used 10 years back. So, it doesn’t matter, if you reuse a password rarely; if you have used a password once, never reuse it.

  1. Phishing

Luring victims into revealing their passwords has become a very common tool among criminals. They send fake emails, call you, or send text messages that threaten people or offer free gifts, and trap people into sharing sensitive information.

For instance, last week, the UK’s HMRC reported 33,000 phone scams, 46,000 phishing emails, and 26,000 text messages in January that tried to lure victims into disclosing bank and other personal details by threatening legal actions or offering bogus tax rebates.

So, if you want to defend yourself against such attacks, then you need to learn and adopt new browsing habits. This includes,

    1. Avoid emails marked as spam
    2. Check for ‘https’ and the lock icon
    3. If you’re being asked to verify your identity, contact the company personally, before you enter your sensitive details
    4. Checking links before opening them
    5. Never reuse your passwords
  1. Malware

Malicious software can steal your login ids and passwords from your computer, and send them to the criminals directly. Unfortunately, some malware can even penetrate multi-factor authentication.

Malware can infect your computer through phishing emails and fake websites. The best protection against such infections is to keep your antivirus up to date. Most security solutions provide malware protection as well. So, take a good look at the software you are using, and ensure that the updates are run regularly.

Most importantly, adopt secure browsing habits. As suggested in the previous points, follow best password practices, avoid spam, and be careful when browsing online. Criminals try to lure people into installing malware with scareware pop-ups and offers of free-gifts. Never click on pop-ups that you weren’t expecting.

  1. Data breach

For criminals, data breaches are a major source of login credentials. Hackers compromise online services using multiple attack vectors, and then steal the login data of their customers. The ‘have I been pwned?’ website keeps a list of 10,623,471,650 accounts that have been compromised.

We suggest you test your email address on their website. The test would give you an assurance if your account is safe or not. Unfortunately, if you find your email address in the ‘I-have been-pawned’ list, then, you would need to change your passwords immediately.

The best protection against stolen credentials is to change them. Moreover, ensure that the new passwords are not easy to guess.

How to create a strong password

We suggest that you use the following rules for creating strong passwords –

  1. Don’t use real words
  2. Use a mixture of characters, including lower and uppercase alphabets, numbers and special characters
  3. Your passwords shouldn’t be shorter than eight characters

Most importantly, your passwords need to be unique. Despite this rule being difficult to follow, you need to follow this rule for your own security. Particularly, if you are a business user, then you cannot afford to reuse passwords. Why? Because if you reuse a password, criminals might use it to breach your office network. To illustrate, access-related attacks made up 50% of the attacks that resulted in a data breach in the US over 2018 and 2019.

In Conclusion

Of course, it’s a tough task to think up good passwords – passwords that are hard to guess but easy to remember. So, we suggest that you resort to training employees. Particularly, train your employees on strong password practices. We couldn’t cover all the password tips here; we skipped topics such as how to make memorable passwords and store passwords safely. Thus, you need to look into your employee training on password practices.

With this in mind, revisit your information security training, and look into your password policies as well. You may want to add new points, such as mentioned above. Likewise, you might need to check with your security practices too, including how you track login attempts, password reset requests, and login success rate.

Jessica Holland

Jessica Holland

Like this post? Subscribe to receive updates directly in your inbox.