Credential Stuffing And Account Takeovers, Oh My

Donovan Blaylock II
November 27, 2018

Get the latest from the SecureAuth Blog

If you are an American Chief Information Security Officer (CISO) or IT Security Professional, you may have enjoyed traditional thanksgiving stuffing or something more classic like your family’s famous cornbread stuffing, or even something exotic like Tahitian stuffing with breadfruit and coconut last Thursday, but there is a different type of stuffing that cyber criminals rely heavily upon every day of the year. So, what are you doing to prevent credential stuffing at your organization?

What is Credential Stuffing?

Unfortunately, credential stuffing isn’t as tasty as your family’s famous cornbread stuffing, but it can be very tasty (read “profitable”) to cyber criminals when executed correctly.

According to Wikipedia:

“Credential Stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to brute force or guess any passwords – the attacker simply automates the logins for thousands to millions of previously discovered credential pairs using standard web automation tools like Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks like Sentry MBA.”

The definition of “brute force” hacking seems to differ from expert to expert, because according to Techopedia:

“What happens with credential stuffing is that hackers take that stolen information related to one site or system and use it in a brute force hacking attempt to try to get into various other systems. Sometimes hackers evaluate whether one password or username can be used for another website, whether it is related to the original website or not.

For instance, hackers may gain access to sets of usernames and passwords for a particular retailer and try to apply those same usernames and passwords to a financial website. The idea is that through trying large numbers of these attacks, hackers can figure out whether any users have reused the same passwords and user permissions, and in that way, hackers may be able to use stolen login data to access multiple systems. Some types of credential stuffing can also lead to identity theft.”

Regardless of whether brute force is required or not, the results are the same. One credential is used to access other accounts. The real issue with Credential Stuffing is the outcome of Account Takeover.

Is Account Takeover Real?

Robert Siciliano offers this in his article titled “Learn About Account Takeover Fraud” on the

“Financial identity theft in the form of account takeover fraud generally means using another person’s account information (e.g., a credit card number) to obtain products and services using that person’s existing accounts. It can also mean extracting funds from a person’s bank account.

Account numbers are often found in the trash, hacked online, or stolen out of the mail or from lifted wallets or purses. Once the thieves obtain this data, they may use the information right at a point of sale or access individual accounts online, over the phone, or through the postal service.

Social engineering of the entity processing the data is almost always required at some level: Lying to turn the data into cash, the criminal poses as the victim. Victims are often the first to detect account takeover when they discover charges on monthly statements they did not authorize or funds depleted from existing accounts. Sometimes the victim will find out their bank account was compromised as a result of numerous charges from bounced checks”

Bottomline, is that you don’t want to be a victim or leave your company exposed to credential stuffing and/or account takeover. The good news is that there are new identity authentication technologies that can do just that.

Cognitive Authentication To The Rescue

Acceptto is a transformative cybersecurity company delivering continuous identity access protection and real-time threat analytics with BiobehavioralTM AIML-powered authentication technology in an age where your identity is persistently attacked.

Your login credentials have been compromised. Your passwords have been hacked no matter how complex you’ve made them. Two-factor security is temporal, causes high friction and can be easily intercepted during transmission. Current multi-factor authentication (MFA) security solutions lack context and rely on too few attributes. Your biometrics are binary, and regardless of how safe a fingerprint or retina scan appears to be, it can be spoofed and cannot be reset, ever. And, there are few, if any, solutions that continuously validate your identity post-authentication.

With Acceptto’s Cognitive Authentication you can ensure:

  1. Actionable threat analytics: Real-time, continuous identity monitoring & validation post-
  2. Dynamic authentication: Adjustable, risk-based policy orchestration and continuous enforcement.
  3. Credential stuffing neutralized: Eliminate account takeover (ATO) instantly with intelligent
    contextual MFA.

Check out what Acceptto can do to ensure your employees, partners and customers can authenticate without passwords and still ensure security and privacy. Register for a free trial today.

Related Stories

Pin It on Pinterest

Share This