Credential Stuffing Detection: How to Prevent Credential Stuffing Attacks

Guide to Stopping Credential Stuffing

Credential stuffing attacks are a form of cyber-attack where a company's official website is overflowed by bots, which continuously attempt various login attempts, with a different username and password combination to get access to restricted data of the users. Credential stuffing is typically targeted towards websites of companies that handle finance, such as banks and financial institutions. In 2021, billions of losses were recorded due to account takeover (ATO) intrusions by credential stuffing.

Here is everything that you should know on how to stop credential stuffing attacks and customer impersonation.

Steps in Credential Stuffing Attacks

Although credential stuffing is hard to detect due to different methods of customer impersonation, there are a few common steps that cybercriminals use when planning such an attack. Here are some of the steps used by most fraudsters:

• Step 1. The attacker carefully picks its targets, gathers all the information about the company that he can, including its financial standings, the security level of the website, and other necessary credentials. The companies are usually in the finance field, with user accounts that have access to credit or funds.
• Step 2. There are several different steps that the attacker could use to get access to a customer’s account. The most common tactic is using a huge collection of stolen usernames and passwords. The attacker can also use a strong network of computer bots that continually try different combinations of usernames and passwords until the attacker finds a match. It is usually a complete automated process from the get-go. More sophisticated fraudsters may use compromised or leaked data from the dark web to gain access through customer impersonation.
• Step 3. The third step is where the attacker has finally cracked a combination and has complete access to that customer's account. It is completely the decision of the attacker what they want to do with it. They can either exploit the customer for financial benefits, misuse the account, or even sell the information to a third party to remain completely anonymous.

Bank Impersonation

A more common method of gaining access to the credentials of a customer is bank impersonation fraud. It is a scheme where the attacker pretends to be an official from the bank. The attacker could contact by mail, phone call, or electronic messages like emails or support systems. Once the attacker establishes himself as an employee of the bank, they could do anything from asking you for your login details, any OTP (one time password), or even persuading you to transfer money into an anonymous bank account.

They usually have all the necessary information about you to make it look like a genuine service call from the bank. The fraudster would start by warning you about your account being hacked or any other safety reasons. They could also try to convince you that your account has been blocked or frozen until you transfer your funds to a safer account now.

Hackers have adopted all the methods in the book for bank impersonation, including asking for your password, requesting to join an online meeting where they can see your screen, or even impersonating an agent from a well known tech giant like Apple, Google, or Microsoft.

This guide will explore how to detect and prevent customer impersonation fraud for banks and financial institutions.

Customer Impersonation Fraud

Customer impersonation fraud is certainly on the rise as it becomes easier for cybercriminals to download and purchase compromised user credentials and leaked stolen user data from breaches. 

This would allow fruadsters to call into a bank or financial institution and impersonate a customer to gain access to funds or make a transfer.

Stolen user data can also be used to log in to an account by using a known username and password. Prevent account takeover incidents and monitor suspicious logins to help secure customer accounts.

Brute Force Login Attempts

Brute force attacks and credential stuffing are actually two very different types of cyber attacks. Brute force attacks are much easier to deal with compared to credential stuffing attacks as they try to guess a customer's password by trying out various numbers and alphabet combinations. On the other hand, credential stuffing generates different usernames and passwords using bots. In addition, brute force uses the same base for the password while credential stuffing does not.

The simplest way to be safe and secure against any brute force attack is to limit the number of login attempts that a customer can make. You could even advise the customers to develop a stronger password with a combination of upper and lower case letters, numbers, and at least one special character. Combining all the above elements will give you a password that will be tough to crack by any attacker.

Rate limiting logins per second or minute can also make it much more difficult for bots to randomly guess their way into a user's account. Bot protection can also help mitigate brute forcing attacks.

Password Spraying Attack

A similar attack method is password spraying. Under the umbrella of brute force attacks lies the password spraying attack, which seems to tackle the anti-brute force measures applied by websites very well.

Instead of trying various passwords for a single account and getting timed out after three to five attempts, it tries the same password for as many usernames as it can compute before trying other combination passwords. Then, it sprays the passwords on different usernames to see if there is a match without getting timed out after three to five attempts.

Employing a two-step verification method or a multi-factor authentication process could shield your company against any password spraying attacks.

Detection of Credential Stuffing Attacks

Credential stuffing attacks are one of the most difficult online cyber attacks to detect since the attackers continuously update their methods. Sophisticated fraudsters may also bypass the firewall or security measures of the website. It can be difficult to isolate credential stuffing from real-human behavior.

Attackers use sophisticated means of cybercrime like using botnets, or a network of bots built using infected devices (usually malware) which grants access to thousands of different IP addresses. These IP addresses are usually on residential or mobile connections which allows the logins to look very real.

Techniques to Prevent Credential Stuffing Attacks

Depending on the intensity and preparation of the attack, there are several ways these attacks can be identified and prevented before any information is leaked. Here are a few tried and tested methods.

• Anti-Bot Tools — A bot detection solution that can identify human-like bots should be installed on all login and registration/application pages. Modern bot mitigation solutions should use different factors like the IP address, login attempts, device behavior, and location to determine whether a login was generated by a bot. Preventing credential stuffing attacks is most effective by stopping bots.
• Smarter Customers — Preventing credential stuffing attacks and account takeover can also be enhanced by educating customers about the issue. Encourage customers to use more complicated passwords, use a unique password, and to regularly change passwords every few months to prevent unauthorized logins.
• IP Address Reputation — This is the ultimate method to stay ahead of credential stuffing attacks. By limiting or blocking risky logins from proxies, VPNs, TOR, and high risk IP addresses, you can limit the effectiveness of botnets and automated behavior. Similar tools like device fingerprinting can also identify strange behavior patterns during login or registration.
• Dark Web Monitoring — Fraudsters purchase stolen user data on the dark web, and then use these compromised credentials to log into customer accounts for popular services like banks, investing & trading platforms, utilities, and much more. Monitoring user login details against dark web breaches can provide insight into which customer accounts have leaked data online, and are likely the next victim of a cybercriminal.
• Password Hashing — A simple method to detect credential stuffing which includes jumbling your password before storing it in both your database and the database of the company and unscrambling it at the time of the login only. It is not a full-proof method to prevent the attack, but the stronger the scrambling software, the safer your data is. At the least, it buys you some time to change your password at the time of the attack.
• Continuous authentication — An advanced method of identifying a credential stuffing attack by using factors like biometrics and other usage patterns like the user's behavior to determine the customer's real identity at any time. It is a full-proof method to prevent credential stuffing attacks but it does require significant investment and time to install.
• Multi-Factor Authentication (MFA) — A multi-factor authentication method is a common and useful tactic to detect credential stuffing attacks. It is a two-factor login method where after entering the username and password, it could ask the user for more detail or information. It could be anything from their biometric, a one-time password, or even the answer to a question that only the real user will know.

IPQS estimates that more than 30% of all login attempts per day for banks and financial institutions are bot generated or initiated by an unauthorized login attempt. Some of the fault is due to insecure passwords, such as short passwords which only contain letters, instead of requiring numbers, special characters, and minimum lengths.

Facing issues with account takeover or compromised logins? Get in touch with IPQS to completely protect your site and apps from high risk behavior.