[BreachExchange] How to avoid credential stuffing attacks

Inga Goddijn inga at riskbasedsecurity.com
Wed Aug 3 20:34:52 EDT 2016


http://www.techrepublic.com/article/how-to-avoid-credential-stuffing-attacks/

The BBC reported last week <http://www.bbc.com/news/technology-36764548>
that private customer data (email addresses, phone numbers, passwords and
birth dates) owned by British mobile network O2 was stolen and then sold on
the "dark net" by hackers. The dark net, or dark web, refers to a shady
part of the internet, outside the realm of search engines and accessible
only by certain browsers, where criminals often engage in dishonest or
illegal practices.

This isn't a data breach per se, as O2 systems were not directly
compromised. According to the article, hackers got into accounts by a
process called credential stuffing. This entails using special software to
"repeatedly attempt to gain access to customers' accounts by using the
login details it has obtained from elsewhere In this case, the hackers were
trying login credentials stolen three years ago from a gaming website
called XSplit. In some cases, users had the same username and password, so
the login was successful.

This can lead to further problems for victims of this technique. If the
passwords match those of accounts on other systems or sites these accounts
may be compromised, or criminals might commit identity theft using the
private data of their victims. Some O2 users have already reported that
fraudulent activity occurring on other accounts they own.

The source of the problem - and the solution - are fairly obvious here.
Using the same password in multiple places is a very bad idea. "Password
re-use can cripple even the most secure systems," stated Travis Smith,
senior security research engineer at Tripwire <http://www.tripwire.com/>.
"Using authentic credentials rather than attempting to leverage exploits is
less risky for the attacker, as security tools are more likely to detect an
active exploit. Since passwords are commonly re-used across websites,
stolen credentials from one breach are often used across other sites."

I spoke further with Smith about the details behind the O2 incident.

*How did this attack happen?*

TS: "Indications are that this was a password re-use attack. Criminals
compile credentials stolen from other breaches and attempt to authenticate
against unsuspecting websites. It's impossible for a website to know if
their user's passwords are re-used elsewhere on the internet. Deploying
anomaly based detection tools, such as detecting and/or preventing a user
from logging in from a new IP address, can help incidents such as this.
However, deploying these tools is complex, costly, and may produce too many
false positives to the end-user, which means businesses may not get an
adequate return on investment compared to other security technologies. "

*How common is this type of attack?*

TS: "It's difficult to gauge how common this type of attack actually is.
Attackers are logging in with valid credentials which don't raise any
security alarms on the target website. Only when the resulting data is
marketed and sold on the black market is it made public that the website
was a targeted victim of password stuffing. What we do know is that it's
incredibly easy for criminals to parse through a password dump and automate
the procedures to test if the credentials are valid on any number of
websites."

*How can end users leverage password managers and two-step authentication?*

TS: "Many password managers are available for end users, including some
which are free. The benefit of a password manager is that it allows end
users to easily create not only unique passwords for each service, but more
importantly create long, complex, and random passwords which are not easily
guessed through brute force techniques. As long as the manager's password
is sufficiently complex and not easily guessed, this is a great way to keep
an end user's identity safe.

Two step authentication is more difficult for an end user, simply because
it's up to the web service to implement that feature for their website.
Generally speaking, the user has to prove they own a separate device to
gain access to the service. This can be something such as a text message
sent to a phone, a rolling passcode, or a key fob in their possession. No
matter the technique, the end-goal is to make it harder for an attacker to
gain access to another person's account. Even if a password is stolen, the
attacker will need access to the secondary device to gain any legitimate
access."

*What can IT to do protect users?*

TS: "First and foremost they should practice what they preach. Enabling
two-factor authentication on company-owned assets such as email and
intranet sites will force employees to understand the overall procedures of
using something such as two-factor authentication. Most end-users either
aren't aware of two-factor authentication or consider it too cumbersome to
use unless it's a requirement. When employees are forced to perform these
activities on a daily basis, it becomes a routine. By making security a
routine, employees are more likely to choose security features such as
two-factor authentication, even when it's not required."

Two examples of password managers are KeePass and Password Safe. Both are
free and securely store account details such as user IDs, passwords and
website links within a central encrypted database. The ability to copy and
paste details makes them user-friendly and the database can be shared among
multiple individuals such as family members or coworkers. It's also
possible to store the associated files in Dropbox or Google Drive so they
will be synchronized to all devices registered with these services*.*

There is a cost factor involved with two step authentication in the form of
either physical devices or additional IT labor/customer inconvenience.
(It's important to weigh this cost against the cost of a data breach,
though.) Therefore, chances are these implementations will likely grow more
rapidly in private companies versus public websites like Amazon or eBay.
However, as the security landscape continues to evolve we can expect this
technology to grow in popularity and prevalence, and users can - and should
- start protecting themselves immediately with password managers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160803/8813ab78/attachment.html>


More information about the BreachExchange mailing list