Credential stuffing as a hacking attempt of any kind in which the perpetrator uses credentials obtained from another data theft or data breach on another website or system to attempt to log in to another unrelated website or system.
“For example, a hacker may use a list of credentials obtained from a data breach of a major eCommerce website (let’s say, Amazon) and then use the same usernames and passwords to try and log in to Gmail.”
In such cases, the perpetrator is exploiting the fact that many people use the same username and password for different services and is hoping that some of the eCommerce users reused their credentials on Gmail.
Many lists of breached credentials were being sold and even shared publicly on various forums, black markets, and the dark web. As a result, credential stuffing attacks have been on the rise in the past couple of years, paired with the fact that there have been major advancements in various credential stuffing tools and sophisticated bots that can mimic human behaviours and get around traditional identification techniques.
In this guide, we will discuss with DataDome how to detect credential stuffing attacks and the effective methods to prevent them.
How To Prevent Credential Stuffing Attack?
Two-Factor or Multi-Factor Authentication
Utilizing multi-factor authentication (MFA) is one of, if not the most effective ways to protect your website against credential stuffing attacks.
The idea behind two-factor authentication is to require a second (or more) authentication form than the password. So, even when a user’s credential has been stolen, the simple username-password combination won’t be enough for the perpetrator to launch a credential stuffing attack.
The second or more factor can be:
- Something you know: for example, the answer to a security question, PIN, graphic patterns, and more.
- Something you own: for example, a USB dongle or token, a one-time verification code sent to a device owned by the user, etc.
- Something you have: for example, fingerprint, face ID, or iris scan
However, although MFA is very effective in credential stuffing attack prevention, it is still relatively not popular due to how it impacts user experience (UX). Two-factor authentication will mean that it would take longer for the legitimate user to log in to your service, and might deter them.
With that being said, you might want to consider only implementing MFA contextually rather than requiring it in every situation. For example, you can create an adaptive system where you would only require MFA during a suspicious action (i.e. repeated requests to the same page).
“Yet, more and more people are now familiar with the practice of using two-factor authentication, and there’s also the increasing intuitiveness of two-factor authentication methods, making it easier and faster to use by users”
In the near future, we can expect more websites and services to adopt MFA as their default authentication method. For example, in February 2020 Google announced that all Nest users would be required to use two-factor authentication.
Common Prevention Measures for Credential Stuffing
Below are some effective credential stuffing attack prevention methods you can implement:
Since many credential stuffing attempts are done by automated programs (bots), CAPTCHA can help in preventing these automated login attempts. Similar to two-factor authentication, however, a CAPTCHA can disrupt user experience (UX) and should be used sparingly or only during suspicions of automated attacks.
Also, a CAPTCHA is not perfect and won’t prevent 100% of automated logins and credential stuffing attacks. Even after considering all these issues, however, CAPTCHA is still effective in preventing credential stuffing.
Limiting Access Based on IP
A pretty basic but effective approach is to block less sophisticated attacks that only rotate between a small number of IP addresses. We can blacklist IP addresses or a range of IPs after a specific number of failed login attempts.
However, there are two main principles in IP blacklisting: the blacklist should be temporary so you can reduce the likelihood of blocking legitimate human users (false negative), and you should track login failures separately for each user.
You should consider storing the users’ IP addresses to trace IP addresses that successfully logged in, so you don’t accidentally block legitimate users from logging in. Also, when this user logs in from other IP addresses, you can notify the user immediately or even block the account altogether if necessary.
Besides tracing for IP addresses and blocking suspicious activities based on IP address, we can also use various factors to ‘fingerprint’ users, such as:
- Device’s signature
- The operating system of the device
- Browser used to access your site/service
- Language used
So, if it doesn’t match the user’s previous fingerprint, you can ask this client for additional authentication (via CAPTCHA or asking security questions, for example). However, keep in mind that users might own multiple devices and might share the account with other friends or family members, so you’d need to be smart in identifying and blocking suspicious activities that don’t match the previous fingerprints.
Create An In-Depth Defensive Layer
The idea of the following methods is to make the credential stuffing attack more time consuming and more difficult to implement, with the hope that the attacker might give up.
While these following methods might not be 100% sufficient in preventing credential stuffing attack, we can use these to defend against opportunistic attackers without the aid of sophisticated bots:
Identifying and blocking headless browsers
“However, if you block the traffic outright, the attacker might devise a countermeasure, so sometimes limiting/throttling the traffic and silently limiting the action.”
Tracking Login Success Ratio
Above, we have mentioned how we should analyze various factors of user ‘fingerprints’ to identify between legitimate users and attackers. So, we can configure alerts on the login success ratio for this specific user. While you’ll never have legitimate traffic with a login success rate of as low as 0.1% to 10%, credential stuffers can achieve these numbers.
Credential stuff attackers can reach a success rate of close to 0%, so it’s fairly easy to identify. Tracking login success ratios that are very low is a massive sign of credential stuffing attempts.
While there isn’t a 100% way to stop credential stuffing attacks where user’s usernames and passwords have been compromised, the methods we have shared above are effective in identifying, preventing, and mitigating the effects of credential stuffing attempts. You can also use credential stuffing mitigation and protection solutions to actively prevent credential stuffing attacks.
Above, we have discussed the concept of credential stuffing, and how we can assess the risk for our websites and prevent the attack.