The value of a stolen account. A look at credential stuffing attacks.

A type of credential reuse attack known as credential stuffing has been recently observed in higher numbers towards industry verticals. Credential stuffing is the process of automated probing of and access to online services using credentials usually coming from data breaches, or bought in the criminal underground.

Even though users are not at fault of the online breaches that are usually the prime source of these accounts, they are definitely exposed not only at the immediate time the breaches have occurred but also time after, once these dumps of credentials are stored, shared and sold in the underground.

What is the value of an account?

Accounts can have significant value depending on context and the data that malicious actors are pursuing. Accounts can be found for sale not only in the dark web but also in the clearnet.

Account market on clearnet

The value of these accounts that have been stolen, purchased or found in the very large data breach dumps gets higher if it allows criminals to access financial services. Recent reports by AKAMAI technologies and Shape Security indicate that the most targeted services in this type of attacks are retail, social media, financial, travel and hospitality.

These attacks are unfortunately fueled by three elements:

• Continuing breaches of very large online services. These breaches are almost announced on a daily basis and usually result in very large dumps of credentials.
• User reuse of credentials across online services. Users will use easy-to-remember and simple passwords repeatedly in many of the online services they access, for example, using the same password in Facebook and their financial institution.
• A criminal underground market, that stores, shares, hoards and sells these credentials for profit, as well as develops tools that enable these types of attacks. The cost of doing cybercrime is usually significantly lower than the cost to defend against it.

What can we do about it? 

There are many things that can be done from the user’s side and organization’s side to protect against these types of attacks. There has been some chatter about getting rid of passwords altogether, which some services have done, using time-based one time password type applications.

This is definitely a step ahead, but not all online institutions can set up passwordless authentication and some of these setups require several steps that many common users are not willing to go through. Institutions should at least protect authentication data with the highest possible encryption mechanism available, and make sure that in the event of compromise, such credentials cannot be reused. Companies also can enforce password policies that will force users not to repeat or choose easily guessable passwords as well as enforcing multi-factor authentication. There are also several measures that can be applied to fight credential stuffing attacks.

From the user’s perspective there also some measures that can be taken to prevent these attacks.

• Use random passwords (combine alphanumeric characters).
• Use password vaults (LastPass, KeePass, etc).
• Use multifactor authentication when possible (Google Authenticator, Microsoft Authenticator, Authy, Yubikey, etc).
• Change passwords often, do not reuse them.