The last few months have seen some truly alarming stats in relation to online consumer fraud and identity theft, particularly in relation to account takeovers. In this three part series we’ll take a closer look at Credential Stuffing, a very common, high volume, automated bot attack.
It’s all about authentication
Across new account registrations, payments fraud and attacks on the account login, two thirds of attacks are now directed at account login. Authentication really is the battleground in safeguarding the security and data privacy of online consumers.
Where do these attacks originate from?
The attacks on account logins are enabled through the use of usernames, email addresses and passwords the large majority of which have been captured from the many large breaches of online databases that have occurred historically. This data is then used in a form of ‘brute-force’ attack called ‘credential stuffing’ to fire hundreds of cycled account login attempts attacks per second from dedicated servers at online operators relying on single factor passwords to secure their accounts.
Consumers’ growing number of online accounts (approximately 150 on average) as well as the required complexity of permitted passwords (Upper case, 8 letters etc) has made the task of recalling different passwords impossible so it’s hardly surprising that some surveys suggest password re-use has actually become more frequent. A hacked password is worth a lot more if it is common to many websites so the price these passwords can now fetch on the dark web has risen significantly. You can download a starter database with over 10 million credentials for free but for more recent data, from a source with a large total volume of accounts that can be tested, prices are much higher.
Many will recall Yahoo’s data breach in 2013 which at 3 billion records was the first over a billion and established credential stuffing’s eminent role among hackers. Since then, there have been literally thousands of breaches; Uber, Marriot, Facebook, Linkedin, Disney, Dropbox to name a few and these are now for sale in pre-loaded bots to service the demand of aspiring hackers. Remarkably, the credentials now available for sale online have mostly been harvested in the last 24 months because hackers know that fresh credentials have a higher hit-rate.
The availability of credentials has continued to grow due firstly to poor security controls around users’ data and specifically a lack of regimented standards in the management of valuable personal data such as authentication databases and secondly, to buoyant demand. In May 2019, it was estimated that there were 9 billion credentials for sale on the dark web. One year later, that number increased to 15 billion.
So why is demand so strong? Well, there are many ways in which this account data can be monetised but most obvious is cracking open random users’ accounts, which are then sold to a new army of hackers who seek to extract the value. The price of accounts starts at around $1.50 for media sites and go to $150 for card accounts but there is a substantial variation according to age and geography.
If you don’t want your customers to be subject to this account takeover risk, please consider MIRACL. Not only does it provide your users with passwordless and easy-to-use multi-factor authentication to prevent password-based attacks such as credential stuffing and other password-based attacks (man-in-the-middle, social engineering or malware replay attacks) but unlike other systems, it completely removes the need for any authentication database at all. So there is no focal point of attack for hackers to target, which will put an end to this criminal market of hacked identities.
Finally, a technology capable of breaking the chain.
Read on next week to understand how the perpetrators of credential stuffing are making multi-million pound profits selling accounts that they have cracked.