Credential stuffing attacks: Defense and prevention - Kount
VIP logo
x
Show Kount Some Love!
We are honored to be nominated for the 2022 Vendor in Partnership Awards. Vote for Kount in two categories: Best Security Solution and Best Payment Innovation! Voting closes December 2.

Credential stuffing attacks and how to prevent them

Credential stuffing should concern any business that stores anything of value behind customer accounts. That value isn’t limited to payment information and loyalty points or rewards. In credential stuffing attacks, bad actors target anything they can resell, including personal data.

"Bad actors need valid usernames or passwords for credential stuffing on a valid or targeted website," with an email, target, and password icon.

Here, we’ll define credential stuffing attacks and common methods for credential-based attacks. Then we’ll explore how bad actors launch credential stuffing attacks and the consequences of these attacks. Finally, we’ll show you how to prevent credential stuffing attacks.

What is credential stuffing?

Credential stuffing is the automated injection of usernames or emails and passwords into login forms. In a credential stuffing attack, bad actors test hundreds of thousands of combinations of usernames, emails, and passwords in quick succession on a target website.

In many cases, they’re trying to confirm which combinations of valid usernames and passwords will unlock an account. If a bad actor can unlock one account with a known combination, there’s a good chance they can unlock others with the same known credentials.

Common credential-based attack combinations

When bad actors acquire lists of user credentials, they want to test combinations on different websites as soon as possible. The severity of credential stuffing attacks can vary in scope, intensity, and duration.

But, overall, bad actors need valid usernames or passwords for credential stuffing attacks on a valid or targeted website. In some cases, they know a username or email address for a target site. In other cases, they have to match credentials to a website.

1. Known username or email, known target, unknown password
With this credential combination, the bad actor knows that a user has an account on the target site. But the bad actor doesn’t know the password associated with the account.

An email icon and a target icon in blue, and password icon in orange.

So they attempt a brute-force attack by trying a list of common passwords. Or they’ll attempt to crack the password by making thousands of attempts in quick succession. Bad actors use this method frequently in online gaming fraud to steal stored value on gaming accounts.

Accounts that use simple or common passwords and websites with limited controls are Who is most at risk for this credential-based attack.

2. Known username or email, known password, unknown target
With this credential combination, the bad actor has a list of username and password combinations from other site breaches. They test those combinations on the target site, like an online streaming service.

An email icon in blue, a target icon in orange, and a password icon in blue.

But they don’t know for sure if users have accounts on the target site. In these “spray and pray” attacks, bad actors know good credential combos but don’t know targets. Customers who reuse passwords across the web and target sites with only basic authentication controls are most at risk for this credential-based attack.

How bad actors launch credential stuffing attacks

Part of what makes credential stuffing attacks attractive to bad actors is basic human limitations. The average American has 27 online accounts, according to a Harris Poll and Google study.
Among survey participants, 66% said they use the same password on more than one website.

Knowing that so many Americans take a lax approach to password security, it’s easy for bad actors to take advantage. So how do they do it?

When a bad actor breaches a company’s database, they acquire a list of usernames or emails and passwords for the company’s website. Following a breach, another bad actor may buy that list on the dark web for the purpose of credential stuffing. And those lists can be sold to many bad actors.

With a list of usernames and passwords in hand, the bad actor may use credential stuffing tools, such as software that’s built for the sole purpose of testing that list on a target website.

For example, a bad actor breaches a national coffee chain’s customer database. The next bad actor may purchase the credentials list to test on a national donut chain’s website, figuring people who buy a lot of coffee might also buy a lot of donuts.

After testing hundreds of thousands of credentials, the software tells the bad actor which combination of usernames and passwords worked on the target site. The typical success rate for these attacks is between 1% and 2%. So if a bad actor tests 100,000 combinations of usernames and passwords in a single credential stuffing attack, then 1,000 of them unlock an account.

From there, the bad actor can conduct account takeover fraud attacks, stealing more customer information from those unlocked accounts or spending any loyalty points or rewards themselves. In some cases, they won’t take anything from the unlocked accounts but sell their list of known credentials to the next bad actor.

A bad actor using more advanced methods for credential stuffing may launch a botnet attack. In a botnet attack, bad actors infect computers or Internet of Things (IoT) devices with malware.

IoT devices are any devices that connect to the internet to function — think doorbells, refrigerators, and even baby monitors. There are over 30 billion active IoT devices on the planet. Bad actors can configure that malware to do a number of things, including credential stuffing attacks.

Consequences of bot-related credential stuffing attacks

With the adoption of new digital channels and experiences, there is more value locked behind logins than ever, which makes credential stuffing defense all the more important. For the victims of credential stuffing attacks, the damage hits more than the balance sheet.

Once a bad actor unlocks user accounts, they can take over an account to mine more customer data or access proprietary company information. They can make purchases using stored value or commit loyalty fraud. Using known credentials, bad actors can even create fake accounts and commit synthetic identity fraud on other websites.

The consequences are even more severe if a bad actor is launching botnet attacks. As businesses in Kount’s Bot Landscape and Impact Report found, bot-related attacks can crash websites, compromise customer data, freeze inventory, and leak proprietary company data. Some businesses even reported losing partnerships to bot-related attacks.

A radial chart that outlines the consequences of bot-related attacks, ranging from crashed websites to proprietary information leaked.

Credential stuffing attack prevention

Traditionally, high-value targets like bank accounts and payment portals have been the target of credential stuffing attacks. But any business that has transitioned to a more digital experience is a potential target.

Credential stuffing attack prevention starts with a robust digital fraud solution. Kount’s Identify fraud solutions helps businesses stop malicious or unusual login activity and protect against credential stuffing, bot attacks, and account takeover as a result.

Let’s say a user attempts to log into an account from a new or previously unknown device. Because the site doesn’t recognize the device, it asks the user if it can remember that device in the future. Kount’s device intelligence capabilities help businesses manage the relationship between users and their devices.

Plus, Kount’s solutions use machine learning to connect a user’s trusted devices. Businesses can also set up multi-factor authentication on new or unknown devices. And if an account sees a set number of failed login attempts from unknown devices, it may indicate a credential stuffing attack.

Meanwhile, bots often use high-risk IP addresses, which Kount’s IP Risk capabilities can help detect. And if an IP address starts to exhibit anomalous behavior, Kount’s IP Anomaly Detection can identify it.

Finally, Kount’s machine learning identifies anomalous attributes from across the Identity Trust Global NetworkTM. So if a business sees, for example, higher-than-average transaction or chargeback velocities from one IP address in a short time, it may indicate a bot attack.

And it’s not just one or two potentially anomalous events Kount’s network can identify. The Identity Trust Global Network links signal data from billions of annual interactions across 250 countries and territories, over 75 industries, and over 50 payment processors and card networks. The result is blocked payments fraud and account takeover prevention in real time.

Let us show you how Kount prevents credential stuffing attacks

Get started
Blog
blog-credential-stuffing-and-how-to-prevent-attacks
March 1, 2022
Credential stuffing attacks and how to prevent them
Credential stuffing should concern any business that stores anything of value behind customer accounts. That value isn’t limited to payment information and loyalty points or rewards. In credential stuffing attacks, bad actors target anything they can resell, including personal data. Here, we’ll define credential stuffing attacks and common methods for credential-based attacks. Then we’ll explore how bad actors launch credential stuffing attacks and the consequences of these attacks. Finally, we’ll show you how to prevent credential stuffing attacks. What is credential stuffing? Credential stuffing is the automated injection of usernames or emails and passwords into login forms. In a credential stuffing attack, bad actors test hundreds of thousands of combinations of usernames, emails, and passwords in quick succession on a target website. In many cases, they’re trying to confirm which combinations of valid usernames and passwords will unlock an account. If a bad actor can unlock one account with a known combination, there’s a good chance they can unlock others with the same known credentials. Common credential-based attack combinations When bad actors acquire lists of user credentials, they want to test combinations on different websites as soon as possible. The severity of credential stuffing attacks can vary in scope, intensity, and duration. But, overall, bad actors need valid usernames or passwords for credential stuffing attacks on a valid or targeted website. In some cases, they know a username or email address for a target site. In other cases, they have to match credentials to a website. 1. Known username or email, known target, unknown password With this credential combination, the bad actor knows that a user has an account on the target site. But the bad actor doesn’t know the password associated with the account. So they attempt a brute-force attack by trying a list of common passwords. Or they’ll attempt to crack the password by making thousands of attempts in quick succession. Bad actors use this method frequently in online gaming fraud to steal stored value on gaming accounts. Accounts that use simple or common passwords and websites with limited controls are Who is most at risk for this credential-based attack. 2. Known username or email, known password, unknown target With this credential combination, the bad actor has a list of username and password combinations from other site breaches. They test those combinations on the target site, like an online streaming service. But they don’t know for sure if users have accounts on the target site. In these “spray and pray” attacks, bad actors know good credential combos but don’t know targets. Customers who reuse passwords across the web and target sites with only basic authentication controls are most at risk for this credential-based attack. How bad actors launch credential stuffing attacks Part of what makes credential stuffing attacks attractive to bad actors is basic human limitations. The average American has 27 online accounts, according to a Harris Poll and Google study. Among survey participants, 66% said they use the same password on more than one website. Knowing that so many Americans take a lax approach to password security, it’s easy for bad actors to take advantage. So how do they do it? When a bad actor breaches a company’s database, they acquire a list of usernames or emails and passwords for the company’s website. Following a breach, another bad actor may buy that list on the dark web for the purpose of credential stuffing. And those lists can be sold to many bad actors. With a list of usernames and passwords in hand, the bad actor may use credential stuffing tools, such as software that’s built for the sole purpose of testing that list on a target website. For example, a bad actor breaches a national coffee chain’s customer database. The next bad actor may purchase the credentials list to test on a national donut chain’s website, figuring people who buy a lot of coffee might also buy a lot of donuts. After testing hundreds of thousands of credentials, the software tells the bad actor which combination of usernames and passwords worked on the target site. The typical success rate for these attacks is between 1% and 2%. So if a bad actor tests 100,000 combinations of usernames and passwords in a single credential stuffing attack, then 1,000 of them unlock an account. From there, the bad actor can conduct account takeover fraud attacks, stealing more customer information from those unlocked accounts or spending any loyalty points or rewards themselves. In some cases, they won’t take anything from the unlocked accounts but sell their list of known credentials to the next bad actor. A bad actor using more advanced methods for credential stuffing may launch a botnet attack. In a botnet attack, bad actors infect computers or Internet of Things (IoT) devices with malware. IoT devices are any devices that connect to the internet to function — think doorbells, refrigerators, and even baby monitors. There are over 30 billion active IoT devices on the planet. Bad actors can configure that malware to do a number of things, including credential stuffing attacks. Consequences of bot-related credential stuffing attacks With the adoption of new digital channels and experiences, there is more value locked behind logins than ever, which makes credential stuffing defense all the more important. For the victims of credential stuffing attacks, the damage hits more than the balance sheet. Once a bad actor unlocks user accounts, they can take over an account to mine more customer data or access proprietary company information. They can make purchases using stored value or commit loyalty fraud. Using known credentials, bad actors can even create fake accounts and commit synthetic identity fraud on other websites. The consequences are even more severe if a bad actor is launching botnet attacks. As businesses in Kount’s Bot Landscape and Impact Report found, bot-related attacks can crash websites, compromise customer data, freeze inventory, and leak proprietary company data. Some businesses even reported losing partnerships to bot-related attacks. Credential stuffing attack prevention Traditionally, high-value targets like bank accounts and payment portals have been the target of credential stuffing attacks. But any business that has transitioned to a more digital experience is a potential target. Credential stuffing attack prevention starts with a robust digital fraud solution. Kount’s Identify fraud solutions helps businesses stop malicious or unusual login activity and protect against credential stuffing, bot attacks, and account takeover as a result. Let’s say a user attempts to log into an account from a new or previously unknown device. Because the site doesn’t recognize the device, it asks the user if it can remember that device in the future. Kount’s device intelligence capabilities help businesses manage the relationship between users and their devices. Plus, Kount’s solutions use machine learning to connect a user’s trusted devices. Businesses can also set up multi-factor authentication on new or unknown devices. And if an account sees a set number of failed login attempts from unknown devices, it may indicate a credential stuffing attack. Meanwhile, bots often use high-risk IP addresses, which Kount’s IP Risk capabilities can help detect. And if an IP address starts to exhibit anomalous behavior, Kount’s IP Anomaly Detection can identify it. Finally, Kount’s machine learning identifies anomalous attributes from across the Identity Trust Global NetworkTM. So if a business sees, for example, higher-than-average transaction or chargeback velocities from one IP address in a short time, it may indicate a bot attack. And it’s not just one or two potentially anomalous events Kount’s network can identify. The Identity Trust Global Network links signal data from billions of annual interactions across 250 countries and territories, over 75 industries, and over 50 payment processors and card networks. The result is blocked payments fraud and account takeover prevention in real time.
https://kount.com/blog/credential-stuffing-and-how-to-prevent-attacks/
Read article
close

Schedule a Demo

Conveniently schedule a call with sales to discuss your fraud protection strategy.