Credential stuffing is back in the news again. A large US company recently suffered a credential stuffing attack that exposed their user’s information, underscoring the strong need for businesses to employ stronger identity authentication measures to safeguard customer data.
Why is credential stuffing important?
Credential stuffing is a cybersecurity threat where hackers use stolen credentials to attack web infrastructures and take over user accounts. The attack uses bots for automation and scale and assumes – correctly, unfortunately – that many users reuse the same usernames and passwords across multiple services.
It is a common type of attack and one of the most common causes of data breaches because 65% of all people reuse the same password on multiple (and sometimes all) accounts.
What is the success rate of credential stuffing?
As a whole, credential stuffing has a low success rate—estimates range from between 1% to 3% percent (Recorded Future) to 0.2% to 2% percent (Shape Security)—but it remains a popular attack method because it takes so little effort and is very cheap to execute.
Hence, for every, one million random combinations of emails and passwords, attackers can potentially compromise between 10,000 and 30,000 accounts. Moreover, the same database could then be reused repeatedly to hack dozens of different websites, yielding even higher profits.
The total number of stolen credentials in 2020 was still 1.86 billion, which represents almost a quarter of the entire population of Earth, and still more than enough for attackers to make a living from their theft, resale, and exploitation.
Even though credential stuffing has a low success rate, its growing frequency seems to indicate that we are seeing a previously chaotic market stabilize as it reaches greater maturity, and not that we’re winning the war.
What is the best defense against credential theft?
Many businesses have implemented multi-factor authentication solutions to reduce their exposure to credential stuffing fraud and whilst the strategy is positive, credential stuffing is but one of many forms of fraud directed at not only passwords and other forms of knowledge but also multi-factor solutions such as SMS-based OTPs. Most of these solutions have proved vulnerable through advances in fraudulent techniques like social engineering, credential harvesting, SIM Swap, SMS/OTP interception, and other sophisticated forms of identity theft and hacking.
We need to start with the basic facts about the need to guarantee the identity of the user.
- Any form of knowledge (passwords/PINs/KBA) or possession factors (PKI, mobile phones, hardware, etc.) does not guarantee identity. It only provides assurance that someone, anyone, is in possession of that information or device.
- Solutions based on knowledge or possession factors are therefore built purely on trust, that the correct person is in possession of that information. And trust is not a foolproof attribute for a security solution.
Consider using a passwordless authentication model that is two-dimensional – combination of voice with one-time-passcode (OTP). The combination of a probabilistic (voice) and deterministic factor (OTP) significantly amplifies the mathematical strength and accuracy of the authentication model and guarantees identity.
To learn more about our enterprise-grade identity guaranteed products and solutions and how we can help you deliver frictionless passwordless authentication, contact us at www.validsoft.com
Share this Post