Are you susceptible to credential stuffing attacks?
I’m getting ahead of myself here. If you’re planning to take the SY0-601 version of the Security+ exam, you should have a basic understanding of various attacks including credential stuffing attacks. As an example, can you answer the following practice question?
Which of the following descriptions BEST describes a credential stuffing attack?
A. A special type of brute force attack that is designed to avoid being locked out
B. Using credentials obtained from a data breach on one site to access accounts on other sites
C. An attack that attempts to guess all possible character combinations to guess a password
D. An attack that typically leaves the following log entry in server logs “Special privileges assigned to a new logon”
More, do you know why the correct answer is correct and the incorrect answers are incorrect?
What is Credential Stuffing?
Credential stuffing is an attack where the cyber attackers use credentials stolen from one website to log onto another website. If you use the same username and password on more than one site, you’re at risk.
“Different sources claim that 65 percent to 85 percent of people
use the same account and password on more than one site.”
I admit I’ve been guilty of this in the past, and I’ve been bit. So many sites want your email address that I got into the habit of using a spam email account and the same password when registering on some sites. For conciseness, imagine the email address and password I used was email@example.com and Christm@$9.
Most of the sites where I used these credentials were one-time-use sites, such as sites requiring me to register to download a white paper. However, I also used it for my Netflix account.
For some reason, I hadn’t accessed NetFlix for a couple of months. When I did, my credentials didn’t work and I was unable to reset my password. It turns out that an attacker logged on as me, and then changed my email address. I no longer had a Netflix account that I could access, but I was still paying a monthly fee. It was easily resolved after calling Netflix customer service, but it could have been avoided completely if I didn’t reuse my credentials.
Credential Stuffing From The Attacker’s Perspective
When attackers infiltrate a network, they often look for credential databases. When they find them, they exfiltrate them and these databases often find their way onto the dark web. Imagine, my credentials were stored in databases stolen from Acme and Emca, along with tens of thousands of others.
Attackers plug these credentials into an application or bot, which then tries them at multiple sites on the Internet. In my case, these credentials worked on Netflix. They were able to log on and hijack my account.
Two Simple Preventions Against Credential Stuffing
The easiest way to prevent credential stuffing attacks from working is to never reuse the same password. That requires you to either remember a lot of passwords or get a good password vault. The best password vault is a moving target and there are many different user preferences to consider, but anything is better than nothing.
A second protection is to use 2FA. A popular method is using text messages sent to your smartphone. Anytime you try to log from a different computer, the site sends you a text with a six- to eight-digit code. Your original credentials are the first factor of authentication, and the code sent to your smartphone is the second factor of authentication.
Even if your credentials wind up on the dark web, attackers won’t have access to your smartphone.
Credential Stuffing Practice Test Question Answer
Answer: B. Credential stuffing is the practice of using credentials obtained from a data breach on one site to access accounts on other sites. These attacks succeed when people use the same username and password on multiple sites.
A spraying attack is a special type of brute force attack that is designed to avoid account lockouts. It loops through a long list of accounts trying one password. When it completes, it loops through the list again trying a different password. Because it takes a long time to loop through the list, it avoids account lockout policies.
A brute-force attack attempts to guess all possible character combinations to guess a password.
A pass the hash attack attempts to capture the hash of a user’s password to log on to a system as the user. An indicator of a pass the hash attack is one or more log entries of “Special privileges assigned to a new logon.”