Taking the ‘stuff’ out of credential stuffing
Marketers can help secure accounts with multi-factor authentication because it's likely attackers will turn it on and make it harder to recover from a takeover.
We’re only human. You’ve heard that phrase before. Right?! We’re only human is a phrase readily applied to universal faux pas and shortcomings – one that highlights how our temporal existence all too often falls short of expectations. Read another way, we can only do so much. And this is exactly what cybercriminals depend on to take advantage of our desire to uncomplicate our lives. Let’s stop and consider the following: how often do you use the same email address or user name, and password to log into different websites? I thought so. We all do it. It’s a universal habit given how many times we log into our work account, social media, shopping and other digital properties (not to mention our phones) throughout the course of a day. Let me ask another question: how many of you use the same four digit pin to access your mobile phone as you do your bank account? I rest my case.
What is credential stuffing?
The internet has permeated every corner of our lives – it is how we bank, shop, and during the age of COVID-19, how we order groceries, deliver food, communicate, attend webinars, join video calls, and so much more. As you know, each of these actions requires a login. Like a good chef, who will use every part of an animal (down to the bones) to make a rich stock, bad actors use every bit of data siphoned from one data breach to conduct their next attack. A treasure trove of user information isn’t just harvested for the credit cards to use in purchasing illicit goods or paying for services, the usernames and passwords are then often used to gain entry, in an automated fashion, to other websites and platforms. This is what a credential stuffing attack is in its simplest and most basic form.
However, acquiring user credentials doesn’t require theft. There are markets on the dark web that routinely traffic in stolen credentials. Remember the analogy of a chef, those bits of stolen data are separated and sold over and over again because they each possess a value on the dark web. In addition to value, they possess a utility to a bad actor that will leverage them to create more chaos and havoc leading to the compromise of other platforms—invariably leading to identity theft and potentially much worse.
We can all agree that identity theft is the scourge of the internet, a shared resource that we find indispensable in this day and age. However, stealing identities is far from the only thing that hackers can do. When attackers took over the Twitter account of the Spanish football club FC Barcelona they used it to send bogus tweets. Similar attacks have been launched against Statefarm and Dunkin Donuts. The most recent Verizon Data Breach Investigations Report found that 80% of breaches that include hacking are brute force attacks, or leverage lost or stolen credentials (i.e. credential stuffing). The Open Web Application Security Project classifies credential stuffing as a subset of brute force attacks. The difference is that a brute force attack uses no context and just tries to guess password and login credentials. These are also sometimes called dictionary attacks. Credential stuffing, however, uses known password and login credential combinations to make the process far more targeted and likely to succeed.
Feel uneasy? You should. I don’t mean to downplay the significance of identity theft – it’s horrible and can take months to clean up – I know, I had to do it for my wife’s accounts. However, account takeovers can have massive consequences – imagine if an attacker was to get a hold of a government officials’ personal email account. Think of the information and secrets they would find and the damage they could wreak if they began to send emails as that government official.
Protecting our shared infrastructure begins with understanding that we are all our personal CISO, and therefore are responsible for securing each and every account we use against attacks. And guess what else? Marketers can help because they are the tip of their company’s brand—marketers are the stewards of the brand experience and how a given product or service is perceived in the industry. Everyone – including marketers – plays a role in making sure that the internet thrives.
Basic cybersecurity for marketers
Now that we’re aligned on the need to become savvier with our personal cybersecurity, therefore helping our companies by being good stewards of our own logins, let’s talk about how to make that happen.
- Don’t reuse the same login name and password across multiple sites. Use different passwords in conjunction with a login name. Should one of the passwords get compromised, it’s highly unlikely that other accounts can then be compromised as a result.
- Use complex passwords. And yes, your pet’s name is not a complex password even if you capitalize every other letter and put an exclamation mark at the end. Wait, did I just give you my pAsSwOrD!?
- Use a password manager. When I started this article I mentioned how we’re all fallible, and being human in a digital world is hard. It’s true. Remember that many passwords are nearly impossible unless you have a photographic memory.
- As much as you can, rotate your passwords. This is just good password hygiene. If you’ve been using the same simple password on a website for the last 10 years, it’s time to update it and make a habit of changing it every so often. The more critical the site (like your banking website) the more often you should update and change that password. For those of you that work at companies with strict password policies that force you to update it every 30, 60 or 90 days, that’s done for a reason. It’s not just to make your lives more difficult, it’s to make the company more secure. Take that as a queue and apply it to your own life. Also, apply it to the customer experience your applications and e-commerce shops have waiting for your customers.
- Ask your customers to choose passwords that are long and complicated with special characters, numbers and combinations of capital letters.
- Ask your customers to change their passwords at least once a year if not more often, or if they haven’t logged-in in a really long time.
- The single most effective way to secure your accounts is by using multi-factor authentication (MFA). Multi-factor authentication is using a secondary device to access an account online — like receiving a text to a mobile phone when attempting to log in, or having to open an authenticator app that issues a code to access a site. According to Microsoft, using MFA blocks 99.9% of account attacks! What’s more, if you don’t turn on your account’s MFA then there’s a high likelihood that attackers will turn it on for you and make it harder to recover, according to a recent article by cybersecurity reporter Brian Krebs. Yes, it’s an extra step, but it is one that can vastly diminish the ability of an attacker to gain access to your platform, or worse, your customer’s experience, on your platform or service.
As much joy as the internet brings us, it can bring equally as much – if not more – anxiety and pain, should our critical accounts fall into the hands of criminals. It’s important that we pause and consider just how simple our online lives could be, should we take the minor precautions necessary to keep our identities and our critical assets secure. Because I assure you, the bad guys are watching and constantly probing our defenses – it’s just how they operate.
Marketers can help build good habits by insisting their sites require things like MFA, and complex passwords that are rotated. Because if our e-commerce experience evolves, then we may all be more likely to evolve our personal security habits for things like email and banking. We are all creatures of habits – it’s high time we started engaging in better security ones.