Credential Stuffing

All across the internet, accounts containing countless terabytes of valuable personal and financial data are secured with nothing more than a username and a password.

Usernames are easy enough to find out or guess, which means that the only obstacle that cybercriminals need to overcome in order to access this data is guessing the password.

Cracking passwords isn’t all that hard, especially if you know a little bit of contextual information about the person whose account you’re trying to break into. These days, the average internet user has a lot of passwords to keep track of, and most of us don’t exercise the best habits for password security.

Password reuse is very common, and many people use guessable information like names and birthdays to create passwords.

Fraudsters have created scripts and software tools that allow them to repeatedly “stuff” different sets of login credentials into a target site until a combination can be found that successfully grants access.

At that point, they’ll have full access to the compromised account and may be able to transfer funds, make purchases, or copy sensitive personal data. They will also have a working set of login credentials that may be usable on other websites.

What is Credential Stuffing?

Credential stuffing attacks are a threat to any website that keeps any valuable data behind a single-factor login screen. Note that credential stuffing only describes the method through which fraudsters gain access to protected accounts.

The actual type of fraud that follows a credential stuffing attack is account takeover fraud.

A credential stuffing attack can be carried out manually, but most fraudsters will automate the process with a script or program that can be fed lists of usernames and passwords to use. These lists may include known username and password combinations from recent data breaches as well as the most commonly-used passwords and their variants.

Advanced tools could allow the user to enter information about a targeted account holder—the names of their children or pets, for example—and automatically generate passwords derived from that information. Credential stuffing tools will also frequently connect to proxy IP servers to prevent targeted servers from blocking them at the network level.

There are two different forms of credential stuffing. The first is when the fraudster has a known username or email address associated with an account on a known site, but does not know the password. Here, the credential stuffing attack will involve trying to log into the site by using the known username paired with thousands of different passwords.

The second scenario is when the fraudster knows they have a valid username and password combination, but they don’t know which site (or sites) it is associated with. In this case, the credential stuffing attack will involve trying the same username and password to log into thousands of different websites.

The vast majority of individual credential stuffing attempts fail, but it’s a numbers game. The typical success rate for these attacks is less than 2%, but it only takes one customer account with a linked credit card or something else of value to steal to make tens of thousands of credential stuffing attempts worth the fraudster’s investment.

While credit card fraud may be the easiest way to profit off of a credential stuffing venture, it’s not the only thing that might happen. In addition to stealing funds, reward points, and personal data, account takeover attacks can be used to set up distributed botnets.

How Can Merchants Detect and Prevent Credential Stuffing Attacks?

Network traffic typically offers the first clues to a credential stuffing attack in progress. Unusual traffic spikes—such as a surge in visitors in the dead of night when most of your customer base is sleeping—may indicate untoward activity that should be investigated further.

Credential stuffers will use proxies to make it look like they are actually multiple visitors coming from disparate regions and networks, but site logs should show the repeated failed login attempts that betray their identity and purpose.

For merchants who aren’t able to monitor this data in real time, the first warnings of credential stuffing attacks may come from their customers, who might find themselves locked out of their accounts due to too many failed login attempts, receiving email notifications for changes to their account, or discovering fraudulent charges on their bank statements.

The most effective way for merchants to prevent these attacks is by using two-factor authentication.

The presence of a single additional authentication layer stops credential stuffing attacks cold, as the process has no mathematical or practical way to deal with an additional (and probably dynamic) variable.

Instituting strong password requirements can also help, but it’s not a panacea. Strong passwords can still be compromised by data breaches and reused, and users will often put in the minimum effort necessary to make their passwords meet the strength requirements.

Similarly, CAPTCHAs may effectively thwart most credential stuffing tools, but some of them are capable of working around CAPTCHAs.

Conclusion

As a common precursor to account takeover fraud, credential stuffing attacks should be on every merchant’s radar.

The known defenses against this attack method—two-factor authentication and strong passwords—aren’t always popular with customers, but the consequences of account takeover fraud can be harmful to your reputation and very costly, frequently leading to unwinnable true fraud chargebacks.

Anticipating and preventing credential stuffing attacks should be a part of any comprehensive plan for fraud protection.  With the right defenses in place, merchants can prevent unauthorized account access, protect their customers from the depredations of fraudsters, and keep their revenue and reputation secure.

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com.