Every once in a while I read an interesting cybersecurity study that I feel deserves its own blog post. It usually describes a successful cyber-attack that exist at the intersection of three things: organizational ambivalence, botnet technology and the human element. The reason why I find this type of attack so interesting is that it often affects unsuspecting organizations, can scale very quickly, and its resolution requires an impossible change in human nature. The specific study I would like to focus on here was made by Shape Security and is detailed in the 2017 Credential Spill Report. It is focused on Credential Stuffing – a method of cyber-attack based on the proven belief that people always reuse their “favorite” passwords to access different network resources. If you steal this “favorite” password you could, using Credential Stuffing, access high value network resources like an online banking account. Automating the process using a botnet makes this method of attack a serious concern.
According to the study over 3 billion (that’s billion with a B) credentials were stolen in 2016 alone and Credential Stuffing is responsible for “more than 90% of login traffic on many of the world’s largest websites and mobile applications.” Additionally, according to the study, Credential Stuffing had “up to a 2% success rate in taking over accounts on systems that did not report public data breaches.”
90% of login traffic with a 2% success rate…that is scary! The reason why Credential Stuffing is so effective is because, as mentioned previously, it takes advantage of organizational ambivalence, botnet technology and human nature. Let’s look at each of these elements.
Organizational Ambivalence – Most organizations do not view Credential Stuffing as a traditional cyber-attack. Indeed the Shape Security report states that these attacks happened “on systems that did not report public data breaches.” The logic here is that since the credentials were stolen from another site and an organization cannot control a user’s password, organizations are not responsible.
Botnet Technology – A botnet is a network of compromised computers organized by a perpetrator to perform a specific cyber-attack. Add to a botnet the Sentry MBA software, which is the Credential Stuffing attack tool of choice, and you have cheap and easy automated Credential Stuffing attack tool. Using a botnet also allows perpetrators to evade typical Credential Stuffing defenses like IP blacklists.
Human Element – This is always the most difficult aspect of cybersecurity. Memorizing multiple passwords is frustrating and is the main reason for password reuse. Indeed Credential Stuffing relies on the fact that roughly 60% of people reuse passwords.
There is no reason to believe that password reuse will disappear and that is why the only way to resolve Credential Stuffing is at the organizational level. According to the Draft Special Publication 800-63B Digital Identity Guidelines, NIST is now recommending that organizations check a user’s password against a list of stolen passwords and provide alternates if the user’s password is on the list. How long before the recommendation becomes a requirement?
The Open Web Application Security Project (OWASP) has issued a Credential Stuffing cheat sheet which lists 5 ways to protect your organization. Some, like Multi-Factor Authentication (MFA), require a large network redesign effort or the implementation of a simple Single Sign-On solution like the TELEGRID SMRTe. Others, like requiring a multi-step login process or disallowing email addresses as user IDs, can be implemented today with very little effort. Every organization should review the OWASP cheat sheet or they might be the next target of a Credential Stuffing cyber-attack.
Eric Sharret is Vice President of Business Development at TELEGRID. TELEGRID has unique expertise in secure embedded systems, secure authentication, PKI, and Multi-Factor Authentication (MFA).
Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc. The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.