The number of cyberattacks that resulted in large-scale credential thefts doubled between 2016 and 2020, according to a report by security vendor F5. Poor security practice, as well as an increase in people working remotely, is thought to be behind the increased number of attacks. Passwords stored as plaintext were deemed responsible for around 4 in 10 of ‘spilled credentials’ incidents. Unsalted SHA-1 hashed passwords were blamed for around 20%.
One of the biggest problems highlighted by F5 is how slow organisations are at detecting breaches, with the average time to discovery being almost a year (327 days). A recent report from Akamai revealed that an estimated 90% of credential-stuffing attacks between 2018 and 2020 were targeted at retail businesses.
There is also some good news however, the average number of records involved in a breach fell from 63 million to 17 million during the same period. This could be because less data is now being stored in one place or fewer people are being given access to it. Nevertheless, the increasing number of incidents and slow detections show that businesses have to do more. There are numerous ways for businesses to protect themselves from credential stuffing attacks, and these include the following.
Using password managers
Password managers such as LastPass are great for the personal use of employees. Because these tools securely store usernames and passwords there is no need to try and remember them all, or jot them down in insecure places. As a result, users can create stronger, more complex passwords for each of their different accounts. Many password managers also suggest strong and random passwords so that users don’t have to think them up themselves and risk making insecure choices.
Once stored, access is granted in response to a single ‘master’ password (which must be strong and never used on other systems).
Embracing MFA/2FA
Multi-factor authentication (MFA) and two-factor authentication (2FA) can drastically reduce the threat of credentials being compromised. There are two main types of MFA; knowledge-based and possession-based.
Knowledge-based authentication involves asking security questions that only the legitimate user can answer. The problem is that a lot of personal information is publicly available (e.g. DOB, place of birth, maiden name). If the question is obscure the user is likely to forget the answer.
Possession-based authentication needs the user to be able to access a separate device (such as a USB key or smartphone) as well as their username and password. This device will usually receive a temporary code or link that has to be entered in addition to the standard credentials before you can log in to your account. Since hackers can’t access a person’s mobile phone or USB key this is an excellent way to protect an account even if a username and password is compromised.
Biometric authentication
Biometric authentication can involve retinal scans, thumbprints and voice recognition. While some still sound like they belong in sci-fi films they are actually becoming highly efficient and affordable. They are incredibly hard to counterfeit.
Adaptive authentication systems
Instead of using a single factor to grant or deny access, adaptive systems consider numerous factors (such as IP address, device reputation, user behaviour or geo-location) to assess the risk posed by a login, and can then grant commensurate degrees of access in response.
Checking and restricting website or network traffic
Reviewing your website traffic can reveal ways to reduce the risk of hackers entering your systems. For example, hackers often use automated browsers and ASNs, so identifying and restricting access from these reduces your chances of becoming a target.
Applying a layered approach to your IT security & IT support will help to reduce the chances of being the victim of a credential stuffing attack. For most businesses, multi-factor authentication is probably the quickest and most effective improvement available because it is very difficult for attackers to guess or penetrate the extra level of authentication.