Credential stuffing attacks are a costly headache, with the Ponemon Institute finding that businesses lose an average of $6 million per year due to lost customers, increased IT costs, and other fallouts. The pervasive problem of password reuse fuels credential stuffing, and we can only expect these attacks to increase as more credentials are exposed in new breaches — and posted on the Dark Web in near real time for hackers to utilize in future campaigns.
Unpacking the Credential Stuffing Problem
Credential stuffing is hardly a new security concern — 10 billion events were recorded in the first three months of 2022. In 2023, high-profile brands such as 23andMe, UnitedHealthcare, PayPal, and Norton LifeLock were hit with credential stuffing attacks. And in March of this year, streaming company Roku disclosed a credential stuffing attack that affected more than 15,000 customers. Yet the problem persists, making it a matter of when, not if, a retailer will be victimized unless it strengthens the password layer.
Credential stuffing attacks are extremely popular because they enable threat actors to conduct a range of activities, including:
- Account Takeover: Attackers can gain unauthorized access to user accounts and steal sensitive data, financial information, or initiate other actions that result in the exposure of personal identifiable information (PII).
- Phishing and Social Engineering: Once accounts have been compromised, they can be utilized to launch phishing and social engineering attacks, which puts other accounts at additional risk. The rise of generative artificial intelligence is contributing to this issue, as threat actors are using these tools to craft more legitimate phishing emails that trick people into sharing sensitive information.
- Data Breaches and Privacy Violations: As mentioned, compromised credentials can be used to fuel additional data breaches, which can result in financial loss, reputational damage and privacy violations.
How to Fight Back
For these and other reasons, retailers must implement a layered security approach that eliminates credential stuffing as a threat vector. Considerations include:
- Replace email with usernames. Email addresses have historically been the go-to for site logins, but this effectively rolls out the welcome mat for would-be credential stuffers. Requiring users to select a unique username when they register on the website makes it significantly more difficult for threat actors to launch a successful credential stuffing attack.
- Double-down on multifactor authentication (MFA). MFA provides a strong defense against credential stuffing, however, because it also introduces friction into the login process, many consumer-facing sites are hesitant to enforce it. Brands should revisit this decision in light of the heightened threat landscape or, at the very least, require a second factor in scenarios that suggest the login attempt may be fraudulent — e.g., when using a new browser, device or IP address, or if the login originates from an unusual country or location.
- Consider CAPTCHA. Requiring shoppers to correctly complete a CAPTCHA can prevent many automated login attempts, but the technology is far from perfect and many companies balk at enforcing it for every login. As outlined, requiring it only when the login appears unusual can help strike the right balance between security and user friction.
- Implement risk-based authentication. A related approach is to deploy risk-based authentication tools. These assess the likelihood of account compromise at every login and require additional factors to authenticate the user if the request is deemed suspicious — e.g., a one-time password (OTP), security questions, verification links sent to email, or biometrics.
- Ensure right-sized max failure lockout window. Another best practice is ensuring that a policy exists to lock users out after a number of failed attempts, and that it’s sized appropriately based upon the industry and the nature of the data at hand.
- Test device fingerprinting. Retailers can implement device fingerprinting to determine when one device is linked to numerous accounts, or other suspicious device-related behavior suggestive of fraudulent activity.
- Incorporate credential screening. Because compromised passwords are a primary driver of credential stuffing attacks, screening for their exposure at every login can go a long way in preventing the threat. There are various ways to address this, with many brands historically purchasing static blacklists of compromised or weak credentials or even curating their own. However, this approach is no match for today’s relentless onslaught of breaches as it fails to screen for newly exposed username and password pairs. Increasingly, brands are incorporating Dark Web monitoring into their password hygiene strategy, as well as vetting credentials against a real-time database to protect against credential stuffing and other threat vectors.
The Path Forward
In addition to the initial financial impact of credential stuffing, brands face reputational damage, the possibility of customer attrition, and a long road ahead to build back consumer trust. Following the steps outlined above can help retailers avoid these struggles and formulate a stronger foundation to protect not only against credential stuffing attacks, but also a variety of other password-based threats. With stolen credentials involved in over 80 percent of the breaches studied in Verizon’s most recent DBIR, it’s clear that strengthening the password layer is a security priority no brand should overlook.
Mike Wilson is the founder and chief technology officer of Enzoic, a provider of threat intelligence solutions.
Related story: Automated Attack Trends Impacting E-Commerce