What Credential Stuffing is and how to protect yourself
A total of 500 million Zoom accounts are sold on the dark web thanks to "fill in credentials".
It is a common way for criminals to access online accounts. Here is what this term means and how you can protect yourself.
It starts with databases and password leakage
Attacks on online services are common. Criminals often exploit security flaws in systems to obtain usernames and password databases. Databases of stolen login credentials are often sold online on the dark web, with criminals paying in Bitcoin for the privilege of accessing the database.
Suppose you had an account on the Avast forum, which was compromised in 2014. This account was compromised and criminals may have your username and password on the Avast forum. Avast contacted you to change your forum password, so what's the problem?
Unfortunately, this can be bypassed-but not unless you're a techie who knows what he's doing. Suppose the login details for the Avast forum were “[email protected]”And“ gamatoPassword ”. If you are logged in to other sites with the same username (your email address) and password, any criminal who gets the leaked passwords can access these other accounts.
Monitoring credentials in action
"Credential stuffing" involves the use of these databases by leaking connection information and attempting to connect to other Internet services.
Criminals obtain large databases of username and password combinations that have been leaked - often millions of login credentials - and try to link to other sites. Some people reuse the same password on multiple sites, so something will fit. This can generally be automated with software, quickly testing many connection combinations.
In other words, "hackers" fill in all these login credentials on the login form and see what happens. Some of them are sure to work.
This is one of the most common ways for hackers to hack online accounts these days. In 2018 alone, the Akamai content network recorded approximately 30 billion attacks with credentials.
How to protect yourself
Protecting yourself from completing credentials is very simple and you should follow the same password security practices that have been recommended by security experts for years. There is no magic solution - just good passwords:
- Avoid reusing passwords: Use a unique password for each account you use online. This way, even if your password is leaked, it cannot be used to link to other sites. Intruders may try to fill out your credentials on other login forms, but they will not work.
- Using a Password Manager: Storing strong unique passwords is almost impossible if you have accounts on several sites and almost everyone does. We recommend that you use a password manager like KeePass who will "remember" the passwords for you.
- Enable two-factor authentication: With two-step authentication, you need to provide something else - such as a password generated by an app or sent to you via SMS - each time you link to a website. Even if an attacker has your username and password, he or she will not be able to log in to your account without this password.
- Receive notifications in the event of a data leak: With a service like Have I Have Pwned? you may be notified when your credentials appear in a leak.
How services can protect against credentials
There are many ways to protect online services from attacks with credentials.
- Scan Database Leaks for User Codes: Facebook and Netflix scan leaked databases for passwords that exist on their own services. If there is a match, Facebook or Netflix may ask the user to change their password.
- Two-factor authentication offer: Users should be able to choose a two-factor authentication for the security of their online accounts. Particularly sensitive services can make operation mandatory.
- CAPTCHA requirement: If a login attempt seems strange, a service may require you to enter a CAPTCHA code that appears in an image or by clicking on another form to verify that a person - not a bot - is trying to log in.
- Limit repetitive connection attempts: Services should try to exclude bots from attempting a large number of login attempts in the short term. Modern sophisticated bots may try to connect to multiple IP addresses at once to disguise their efforts.
Bad password practices - and, to be fair, insecure internet systems are very easy to break. So it is no wonder that many companies in the technology industry want to develop more secure systems without passwords.