Credential Stuffing is a Serious Issue Made More Popular by the Dark Web
Account takeover is one form of identity theft. Data breaches allow threat actors to steal credentials and then take over accounts for monetary gain. This creates a problem for businesses as well as consumers.
SpyCloud offers protection by preventing account takeovers. They essentially do this through monitoring login credentials and alerting account holders when their credentials are breached.
How security breaches occur
First, a hacker will hack into a site and steal login credentials of account holders. This generally includes email addresses, usernames, and passwords.
The Linkedin security breach of 2012 is one example of this. Over 160 million accounts had their login credentials stolen. An even larger breach involved the company Exactis, in which 340 million records were breached. Information included email addresses, physical addresses, and phone numbers.
Data for sale
Once the hacker has obtained these login credentials and potentially other personal information, they sell it online. The Dark Web offers much more anonymity, allowing lots of illegal activities to take place.
The Dark Web is part of the World Wide Web. However, you won’t find these sites by doing a Google search. Instead, the Dark Web uses a Tor browser. Everything is anonymous and encrypted, with most transactions occurring through bitcoin to maintain anonymity.
It’s easy to see why the Dark Web is seen as the place to sell information obtained from data breaches. Login credentials are compiled into lists, known as combo lists. These lists are then sold either through the dark web or the internet.
Given the number of accounts and passwords that people are expected to remember today, it’s not surprising that many people use the same login information for multiple sites.
Credential stuffing was once something that had to be performed manually. If you wanted to find out if someone’s Paypal login credentials were the same as Linked In, for example, you would have to go to Paypal and enter the information in.
However, now there are tools that essentially perform the attempts for you. You import the combo list file, and the program will test all the login credentials on many other sites.
About 2% of credential stuffing attempts are successful. However, the sheer amount of data that can be obtained and the relative ease of credential stuffing with these programs makes it very lucrative.
Once the criminal has found an account that can be logged into with the login credentials they purchased, they have access to the account. They can then use the account for a few purposes.
First, they can use the account to gain even more personal information. This could include physical addresses, phone numbers, birth dates, or driver’s license numbers.
Second, and more commonly, they can use the account for some type of financial gain. They may be able to make purchases on the site or transfer funds to their account.
Other types of accounts are targeted as well. Services like Netflix and companies that offer loyalty programs and points are sometimes targeted.
Cost to businesses
Its estimated that credential stuffing costs businesses $6 million dollars each year. Unfortunately, only 30% of companies have taken steps to prevent account takeovers due to credential stuffing.
This is likely because most people believe that the steps needed to prevent these types of attacks inconvenience legitimate users. In fact, 70% of people within organizations believe that taking steps to stop these attacks negatively affect the experience of legitimate users.
Preventing account takeovers
Spycloud uses a relatively simple system to prevent account takeovers. It essentially monitors login credentials. If these login credentials have been compromised in a breach, it will notify the account holder when they attempt to login.
Instead of simply requiring them to change their password, it sends a reset password link to their email address. This is done in case the person attempting to login is the criminal instead of the account holder.
Account takeovers are a big problem for consumers and businesses. Considering the ease and potential financial gain for criminals, it is also a problem that is going to be around for the foreseeable future. However, preventative measures can prevent account takeovers, keeping businesses and consumers safe.