Have you ever wondered why cyber thieves love passwords? After all, you might think what use are hacked passwords? Well, about five years ago some hackers put two and two together and realised because that the average person tends to re-use the same passwords across multiple web sites this could be easily exploited by using a tactic called credential stuffing.
- Credential stuffing is the use of special brute-forcing software, often called account checkers, designed to use a massive number of emails and passwords in an attempt to find a working combination to gain access to a specific website.
- This often happens on a huge scale; an attack against a single online service can on average use upwards of one million login combinations within a single day.
- To carry out these attacks cyber criminals use proxies. Online companies must allow users to access their accounts from various devices and locations so the use of anonymous proxies helps criminals to mask the origin of their login attempts by disguising their activity as that of legitimate users.
But where do the hackers get the passwords and email addresses from in the first place? You may have noticed over the past few years there has been a persistent surge in database hacks with attackers often making off with millions of password and email addresses. These mega-breaches happen with predictable frequency.
- This information can be quickly and cheaply bought from dark web sellers, or even downloaded for free in some cases.
- From a buyers perspective the ‘fresher’ this data the better and the more chance of credential stuffing attacks that work.
- Because many people use the same password across different online services an attacker essentially can potentially access lots of services with the same password and email address.
What do the attackers gain?
On average a credentials-stuffing attack has an estimated success rate of 1-2 per cent. That said some of these attacks have success rates of up 5 per cent.
Consequently if an attacker has one million password and email records they will likely successfully access between 10,000-20,000 online accounts. These credentials can then be sold on the dark web for as little as $2 each. Buyers then have access to thousands of online accounts.
The outlay to launch a credential-stuffing attack is next to nothing. To buy one million stolen email and password records will cost little over $200. Hiring or buying the use of a proxy service will similarly cost about $100. For an outlay of $300 an attacker can easily realise a return of $40,000.
Can’t companies stop these attacks?
It’s a fact of life that online companies are primarily focused on improving user experience and as a result security is often overlooked.
Companies tend to rely on a straightforward authentication method which only requires that the customer use their email address and a random password as their log-in combination. By relying on this method, companies are leaving security concerns up to their customers.
However, more companies are offering two-factor authentication (2FA) as an additional security layer.
Which online services are attackers targeting?
Financial services companies were the main target about four to five years ago. However, hackers were so successful in compromising account credentials the dark web market became flooded. At the same time banks improved security measures making it much more difficult to steal customer credentials.
As a result, today credential stuffing attacks tend to focus on popular e-commerce retail services, travel companies and auction sites.
What can I do to protect myself?
- The simplest and most effective step you can take is to enable 2FA. This means an account can’t be accessed without entering a second identifier beyond a password.
- It’s a usually a four or six digit number that is sent to your mobile phone after you have entered your password.
- To see if the online services you use such as email, e-commerce and retailers offer 2FA check the security settings on your accounts.
2FA is a robust layer of security that protects your passwords and email addresses even when they’re hacked from another company’s database.
Article written by: Steve Bell
