Online credentials have been stolen and compromised for almost as long as the Internet has existed. But in the past decade, the frequency of credential theft has increased and the tools and techniques used by cybercriminals have evolved.
Today, usernames and passwords act as keys to online services that are vital to many aspects of people's lives such as their retail, banking, travel, and insurance accounts. And yet, those accounts are less secure than they have ever been, due to the scale and scope of data breaches on unrelated sites.
Theft of user credentials has ramped up significantly for a number of reasons. First, users are reusing the same usernames and passwords across multiple sites. Second, automated tools can take stolen credentials and test them on other sites at a massive scale. And third - and perhaps most important - many customers have high value assets, from PII to loyalty points to stored credit cards and gift cards, that are extremely lucrative targets for cyberattacks.
Credential stuffing, first recognized in 2011, is now the single largest source of account takeover and automated fraud on most online services. It’s the large scale, automated testing of stolen usernames and passwords against a range of online sites. What’s particularly challenging is that this threat doesn’t exploit an accidental vulnerability in an application. Instead, it exploits intended functionality - the login form where anyone could enter the right credentials to access an account, its data and privileges. The other challenge is that your site may not have been compromised, but usernames and passwords stolen from another site are now being tested on your site to gain access. This means that there isn’t a simple “defect” to fix, or patch to issue. Instead, the defense of a login application against automation and the exploitation of spilled credentials is a much more difficult and complex challenge, extending into user behavior (password reuse) and poor security practices at third party sites.
A credential spill occurs when user credential data, like usernames and passwords, are stolen from an organization or its users. “Spill” refers to the fact that stolen credentials do not just affect the company which was originally hacked or breached, but are now available for use in attacking any other website or mobile application.
Note that the industries targeted for credential spills, such as gaming, are often different than the industries then targeted with the stolen credentials. Retail is a popular target.
Credential stuffing against retail web properties is especially lucrative, for a number of reasons.
First, retail websites are designed to cause as little friction for customers as possible so security is often sacrificed for user experience. For example, in a crime-free world retailers would prefer to dispense with CAPTCHAs, two-factor authentication, and excessive emails or texts confirming every change to an account. In fact, many retail sites keep users logged in to make “continue shopping” even easier. In contrast, financial services providers, for ex-ample, never allow this to happen, automatically logging a user off after 10-15 minutes of inactivity.
Second, attacking retail websites can also be lucra-tive because there are typically more opportunities to monetize illicit account access than with any other vertical. Attackers can steal personal data, exploit saved credit cards and gift cards, or sell the whole account on the Dark Web for use by criminal organizations. Automated attacks against retailers can also facilitate more traditional offline fraud such as return fraud or the theft of goods.
Most retailers have no visibility into, or even awareness of, the volume of automated login traffic they are experiencing from credential stuffing attacks.
As we said, credential stuffing attacks appear as legitimate requests to the security controls in place on most applications. Since real user credentials are being used, these types of attacks do not need to use brute force techniques to attempt to guess passwords. Instead, they just need to “behave” the way a legitimate user would, providing their own credentials. So when the process is fully automated, credential stuffing attacks can achieve incredible scale and efficiency.
What a detection solution will see is that a vast majority of traffic is actually automated, coming from cybercriminals testing stolen credentials rather than from the site’s legitimate users accessing their accounts in a manual fashion.