Fight Credential Stuffing by Taking a New Approach to Authorization
2016 has been called “the year of stolen credentials,” and with good reason. Between the massive breaches at Yahoo, LinkedIn, MySpace, Tumblr,1 Twitter,2 and Dropbox,3 just to name a few, it’s estimated that over 2 billion records were stolen. Although attackers steal all kinds of data, a vast majority of what’s stolen are user credentials, and they’re being put to bad use. The 2017 Verizon Data Breach Investigation Report found that 81% of hacking-related breaches leveraged stolen and/or weak passwords.4 What’s more, these stolen credentials are readily available for sale on the dark Web to anyone willing to pay the price.5
What is Credential Stuffing?
With this glut of stolen credentials, we’re seeing a rise in what are known as “credential stuffing” attacks. What are these attacks and how do they work? Attackers obtain large volumes of user credentials stolen from one website (like those named above) and use automated tools to test them in the login fields of other, targeted websites (hence, the name credential “stuffing”). When a username/password pair grants the attackers access, they take over that account for fraudulent purposes. By some estimates, as many as 90% of all login attempts on web-based applications at Fortune 100 firms are actually credential stuffing attempts rather than legitimate logins.6
Why Credential Stuffing is a Serious Threat to all Organizations
Often organizations think that they’re “safe” if their own data has not been stolen, but that’s simply not true. One of the reasons credential stuffing is so wildly successful is that many people (73%, by one estimate7) reuse their passwords for multiple applications—both personal and work-related. This significantly increases the attack surface and the risk to everyone, because if attackers can gain access to one application with stolen user credentials, there’s a good chance those credentials will work with another application, and another, and another…
This is why credential stuffing is such a critical threat to organizations. Many enterprises have multiple web-based applications exposed on the Internet that are protected by nothing more than—you guessed it—login credentials. So, even if your internal systems have not been breached, it’s conceivable that your external applications, whether you have 5 or 500 of them, will be targeted by attackers using stolen credentials. Breach or not, your applications are potentially at risk. This problem is compounded by the fact that few applications (yet) support multi-factor authentication (MFA). Without MFA, applications are especially vulnerable because they have only one layer of protection and are therefore easily compromised using stolen credentials alone.
APIs Are at Risk, Too
For many organizations, the attack surface is even broader still because their application programming interfaces (APIs) are also vulnerable. Typically, APIs are the set of clearly defined methods of communication between various software components. Although there are several methods for authenticating APIs, it’s surprising how many are still authenticated using only login credentials.
Consider, too, that the authentication and authorization process is usually separate for each application or API, so organizations must monitor and protect each application independently. It’s kind of like trying to manage a border wall built in 50 separate sections by 50 different contractors, each section with its own gate, varying levels of staff and monitoring, and unique admittance policies.
Source link
lol
2016 has been called “the year of stolen credentials,” and with good reason. Between the massive breaches at Yahoo, LinkedIn, MySpace, Tumblr,1 Twitter,2 and Dropbox,3 just to name a few, it’s estimated that over 2 billion records were stolen. Although attackers steal all kinds of data, a vast majority of what’s stolen are user credentials,…