The reality of breaches is the amount of information available on the dark web. In 2016, hackers stole some three billion credentials, some of which they use in account takeovers.
The big security threat called credential stuffing is the use of automated means to test stolen logins/passwords en masse against other websites. The practice isn’t new, but new sophisticated instruments are helping to fuel its growth.
A recent study from Mountain View, Calif. Shape Security, “2017 Credential Spill Report,” showed stuffing attacks resulted in $1 billion in attempted fraud in 2016 alone. In addition, credential-stuffing login attempts account for 90% of all logins in web and mobile applications. Hackers achieve a success rate of 0.1 to 2% when reusing stolen credentials to access other sites, according to Shape Security.
Mike Lynch, chief strategy officer of Boston-based device authentication and intelligence firm InAuth, said this is quickly becoming a critical issue in the security sector, yet few are talking about it. “I am hearing a lot about how companies are trying to battle it.”
The term credential theft is not new. Lynch explained attackers hack into a system to steal end-user login credentials: user IDs, email addresses, passwords. Or they phish users into credential theft. “I can’t believe this many years later we’re still talking about phishing, but it’s still a huge issue.”
Lynch provided some of the newer terms used in relation to credential theft:
- Credential stuffing. Fraudsters use bots to test stolen account credentials to access user accounts through large-scale automated login requests. “They want to validate that they have a good user name with potentially a good password.”
- Password recycling. Using the same password against multiple online accounts.
- Credential spilling. Fraudsters release massive amounts of user credentials onto the dark web. Sometimes it is free to build their own hacker résumé, or sometimes for profit.
The return for fraudsters depends on the value of credentials. “For 1 million stolen credentials, which these days is not that much, they might gain access to 10,000 accounts. If those are financial accounts, you have a lot of effects on the FIs,” Lynch said. He added, possible consequences include the hard-dollar costs in detecting the credential compromise, the aftermath cleanup, potential reputational damage, and response to inevitable customer queries.
Among the techniques hackers use to gain credential access are phishing and smishing (SMS based phishing), credential cracking with brute force, man in the middle attacks, and insider theft.
Fraudsters obtain financial institution credentials to sell to the highest bidder. Lynch held account logins for financial institutions have a longer shelf life and are getting a higher price from the dark web. “The most direct and obvious use of account takeover is transaction fraud,” Lynch said. With the financial institution, it is usually fraud against the consumers’ account. “Fraudsters sometimes have this information for several years before it’s even noticed it’s been compromise or reported that it was compromised.”
Credit card numbers are lesser valued on the dark web because holders are pretty quickly notified of compromise and the issuer subsequently retires the cards.
Companies are now battling bots used to stuff credentials. Some signs bots are in play is through more traffic to the site, higher attempts to login, and more than usual login failure rates.
“They’re using automation and technology to do things like credential cracking and the bots themselves create the malware and distribute it, Lynch said. “They are quite sophisticated.”
The theft of user credentials and their use in attacking other sites is now so widespread that it prompted precautions in the “Draft NIST Special Publication 800-63B Digital Identity Guidelines,” that online account systems check their users’ passwords against known spilled credential lists.
Lynch suggested credit unions need to check the unique device, device fingerprinting, and malware detection. In addition, financial institutions should use behavioral analysis. He also recommended credit unions embrace new authentication techniques like biometrics. “The more financial institutions adopt biometrics the less credential compromise we will have.”