Online Retailers Pummeled with Credential Stuffing Attacks

Blog Image -Credential Stuffing

Last year may go down as the Year of Stuffing Attacks - and we’re not talking about a Thanksgiving food fight.

According to the content delivery network Akamai Technologies, 28 billion cyberattacks were launched against e-commerce retailers around the globe in the last eight months of 2018, and of those, over 10 billion used an approach called “credential stuffing.”

Credential stuffing attacks are based on the premise that many people use identical login credentials for many of the web sites they visit. In other words, they have the same username and password for their email, bank, Amazon, Netflix, and other accounts. In those cases, if an attacker has the right credentials for one account, they’re able to access all of them.

In a credential stuffing attack, the perpetrator uses stolen credentials for one site, hoping to get lucky and gain entry into a few. By using bots (scripted AI programs that mimic the actions of a human web surfer), criminals can try those credentials across thousands of sites with just one click.

According to Akamai, criminals are “counting on the fact that people recycle their passwords across a number of different accounts. When this happens, a compromised set of credentials from one web site quickly translates into dozens of others.”

You can think of credential stuffing as the inverse of a brute force attack – the other common variant of account takeover. The brute force approach tries to gain access to a single website by throwing thousands of login variations at it whereas credential stuffing uses a single, known set of known credentials against as many web sites as they can.

Factors driving the adoption of credential stuffing against e-retailers is that it doesn’t require advanced technical skills to purchase a bot and lists of compromised credentials on the dark web and deploy an attack. In addition, retailers are a preferred target account takeover attempts, because the attackers can gain instant access to merchandise once an account is hacked.

Frameworks like 3-D Secure can help prevent fraud on the merchant side, but it's difficult to protect against unauthorized users gaining access using legitimate login credentials. They can, however, encourage password diversification by enforcing more complex password rules.

For example, a merchant might require a minimum character count of 16, rather than eight, characters. Because most people don't have a 'go-to' password that's  16 or more characters, they will be forced to use a new one.

While such policies may seem like a burden on the customer, applications that generate, store and fill-in complex logins across all of a user's devices, significantly lower the effort bar. 

But regardless of what merchants require, using an application like 1Password or LastPass to randomly generate unique passwords for every login is a big step in mitigating consumers' risk of being the victim of a credential stuffing attack.