Ever wondered how hackers really operate? IDShield has launched a monthly segment entitled “How They Do It” to give you a look behind the curtains where hackers hide. Each month, we’ll run another segment of “How They Do It.” Learn about specific attacks and warning signs as we break down these tactics and highlight how to defend against attacks.
Credential stuffing has received a lot of attention in the media lately, which is a good thing. You need to know how stuffing works to thwart it or a miscreant could take over your vital accounts and lock you out! Account takeover (ATO) via stuffing is a grown and troublesome trend; currently, it represents the largest segment of bank and financial institution attacks, causing a shocking number of intrusions. Once inside, hackers can change your password so you can’t access the account or recover it.
Picture your favorite online shopping site’s webpage. Think of their credentials files as a large bucket brimming with user passwords and IDs. If hacked, those credentials could open doors on other sites. Consider your favorite social media destination. How similar are your passwords for these websites? Please don’t say they’re identical. Please! If you reuse your login details, you’re flirting with massive credential stuffing even if you’re unfamiliar with the concept.
How does it work?
It’s called stuffing because that’s what thieves do—they rapidly try credential pairs on multiple website login pages, to cram in workable keys. The success rate is low, so thousands of attempts are required to yield an access rate estimated to be no higher than 3%.
If successful, hackers can gain access to any site where the account holder reused codes. What opens a page could also unlock an account where you store credit card detail. Get the picture?
Many massive data breaches have been linked to stuffing. Over 20 individuals were arrested last month in the United Kingdom for purchasing stolen credentials from a three-year-old site on the dark web. The operation was shut down by the FBI, working in tandem with European law enforcement groups. That action put many scammers out of work, but it also revealed that the cost of stolen credentials is minuscule. Bad actors could purchase access to the ill-gotten data hoard for just $2 a day.
Why does it work?
Success depends on two factors. First, stuffing can be automated, so humans don’t need to type each credential pair. It’s fast.
Reuse is the other critical factor. Many people use recycled credentials across multiple locations. Consumers know it’s a bad idea, but they do it anyway because it’s convenient.
The FBI issued a warning recently about the surge in stuffing. It revealed for the first time that over 50,000 financial account compromises succeeded between 2017 and 2019.
Once access is made, gift cards are one purchase intruders favor. Gift certificate purchases are rapid; the thief can use them later. Stolen creds can also unlock smart home networks. According to the FBI alert, additional damages include funds transfers, loyalty program rewards thefts and identity theft.
There is no profile of the typical stuffing target; anyone can become the focus because each stolen password/user combo could open a dozen accounts or more.
How can I remember everything?
Memory is still the #1 storage method of choice. This means the average human brain needs to store an average of 100 different codes. No wonder reuse is an attractive concept.
Have you considered a password manager? Many offer a free trial, so you can kick the tires before making a buy. These tools generate random passcodes or store those you’ve already put into service. Managers will warn you if you’re repeating your passcode.
Another alternative is getting a password check extension for your web browser. These tools alert you if you chose a combination of letters and numbers that is compromised already.
Unique passwords matter. It’s far better to need a password reset if you’ve forgotten yours than to recover from a significant intrusion.
Be proactive
For consumers, unique passwords are worth the hassle. If you get bogged down remembering more than a handful of codes, password managers can store the details. Then all you need to remember is the master passphrase; software auto-fills each login for you. Activating two-factor authentications is another positive step.
IDShield is a product of Pre-Paid Legal Services, Inc. d/b/a LegalShield (“LegalShield”). LegalShield provides access to identity theft protection and restoration services. For complete terms, coverage and conditions, please see an identity theft plan. All Licensed Private Investigators are licensed in the state of Oklahoma. This is meant to provide general information and is not intended to provide legal advice, render an opinion, or provide any specific recommendations.