credential stuffing

Credential-stuffing explodes as password-reuse continues unchecked

Richi Jennings | September 26, 2018

The problem isn’t the reuse—it’s the passwords!

New research shows that hackers have been turning their malicious attention to cracking accounts with reused passwords. In other words, credential stuffing.

That’s where hackers try to break into accounts that share the same username and password as other, previously-leaked accounts—is becoming a huge problem. And for a hacker armed with countless zombie PCs corralled into a botnet, it’s childishly easy to brute-force your way through millions of stolen credentials.

But what can be done? How about better authentication—via biometrics? In this week’s ID Blogwatch, we point fingers at the solution.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: wing-walkers


What’s the craic?
John E. Dunn done wrote Credential-stuffing botnets on the rise as password reuse continues unabated:

The bots spewing out malicious login attempts by the bucketload appear to have cranked it up a notch.

Credential stuffing is the technique of [trying] logins stolen during phishing attacks and data breaches on lots of other sites to see how many succeed. Because bazillions of netizens have the habit of reusing the same password … plenty do succeed.

The rise of credential bot volume is being driven by its success. … Most of the credential-stuffing bot traffic … originated in the US, with Russia [second]. The UK was a very distant sixth.

Short of imposing authentication and magically abolishing … bad password habits … can the bots be stopped?


This is
Charlie Osborne’s beat—Credential stuffing attacks cause heartache:

One of the core problems in … security practices is the use of password and email combinations for multiple online services. When a data breach occurs, such as the LinkedIn 2012 security incident in which 112 million credentials were exposed, the story doesn’t end there.

These credentials may end up online and public or for sale. … Massive data dumps full of stolen credentials can be found in the Web’s underbelly, all of which can be [used to] automatically attempt to login to [other] services.

This can result in successful credential stuffing attacks [which] may lead to the theft of funds or stock portfolio tampering. If the account belongs to an employee of the organization, the damage could be deeper.

Akamai has witnessed a surge in credential stuffing. … Between November 2017 and June 2018, over 30 billion malicious login attempts were recorded.


It’s a huge problem—big league.
Akamai’s Martin McKeay addresses the State of internet security: [You’re fired—Ed.]

Credential stuffing, the use of botnets to try to login to a site with stolen or randomly created login information, isn’t a new phenomenon, but it is one that is having a growing impact, especially on financial services organizations.

Our first example highlights a credit union. … What they originally thought was a single botnet, actually turned out to be three separate attackers [who] had used a “low and slow” strategy to remain below any default alerting thresholds.

Our second example highlights a botnet at the other end of the spectrum — one that created so much traffic, it dwarfed normal login attempts. It was a sudden spike … that caused this financial services company to examine the incoming login traffic [but only because] customers were experiencing significant login issues.

Credential stuffing may not be a new problem, but it is a growing one. … Earlier this year, at least one [credentials] list topped 1.4 billion records. If even a tiny percentage of these accounts are reusing their logins and passwords, it makes credential stuffing … worth the risk to attackers.


Meanwhile,
Kevin Townsend compares the issue to DDoS attacks:

Organizations can impose ‘browser checking’ controls at the data center to block bad bot attacks — but such controls … can introduce disturbing latency for the visitor. Given web surfers’ well-documented impatience … many organizations simply don’t bother, and rely on bandwidth to absorb any malicious login attempts rather than impose unwanted friction on genuine visitors.

We are usually told that stolen passwords have been hashed; but since credential stuffing can only happen with plaintext passwords, either some of the databases were never hashed, or that hashing is not as secure against cracking as we would like to believe.


Worrying but true.
Zack Whittaker notes another way countermeasures inconvenience users—AdGuard resets all user passwords:

Popular ad-blocker AdGuard has forcibly reset all of its users’ passwords after it detected hackers trying to break into accounts … in what appeared to be a credential stuffing attack. … AdGuard has about five million users worldwide.

The company said it now has set stricter password requirements, and connects to Have I Been Pwned, a breach notification database set up by security expert Troy Hunt, to warn users away from previously breached passwords … AdGuard also said that it will implement two-factor authentication.


Have you been pwned?
Troy Hunt offers this example dump—The 42M Record kayo.moe Credential Stuffing Data:

Kayo.moe is a free, public, anonymous hosting service. The operator of the service (Kayo) … advised they’d noticed a collection of files uploaded to the site which appeared to contain personal data from a breach. … (This is not about a data breach of kayo.moe.)

When I pulled the email addresses out of the file, I found almost 42M unique values. … There was a significant amount of data I’ve never seen before. … I’d never seen more than 4M of the addresses. So I loaded the data.


Something must be done!
Stephan Moerman—@stmoerman—suggests, errm, something:

Definitely a reason to keep your users safe by forcing password policies during registration.


And we obviously need to stop people reusing passwords, right?
Wrong, says vtcodger:

I reuse the same password within the limits of obscure and often conflicting length and content rules So does my wife, my kids, and (I suspect) … everyone.

Attempting to educate users or to force them to do things your way is pretty much a complete waste of time … User authentication is a huge problem. [It] will, I think, quite likely eventually limit the utility of the Internet.

Do I have an answer? Nope.


Ahem, surely the answer is biometric authentication?
So says Constantine von Hoffman:

In addition to improving cybersecurity, biometrics are also being used to help manage employees more efficiently and engage with customers more personally.

Payment systems are the first place where many [are] adopting biometrics … Mastercard has also announced plans to allow all customers to identify themselves with biometrics.

Unfortunately, more than half of all small and medium businesses (SMB) leaders think [their] companies aren’t cybercrime targets.

To protect against this companies are being advised to institute … multi factor authentication … a system that uses two [or more] different categories of information. … That generally means one of them is a biometric, which is inherent to the person.


And Finally…

Wingwalking Isn’t What It Used To Be, And That’s A Good Thing

You have been reading ID Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or idbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Jeff Kubina (cc:by-sa)

Share this article: