A Clean Identity Infrastructure Prevents Credential Stuffing Attacks

A Clean Identity Infrastructure Prevents Credential Stuffing Attacks

August 12, 2020

Auth0 Regional Director APAC Richard Marr discusses why identity infrastructure needs to be a priority; as organisations becomes larger and more dispersed, there is a need for a secure identity infrastructure that allows for scalability in a more sustainable way.

By Richard Marr

As we commence the early days of recovery from the COVID-19 pandemic, a new normal has emerged in how businesses configure their workforce, along with considerable shifts in operations and rebuilding customer trust.

A more dispersed workforce has meant greater volumes of information distributed in more and more complex formats. With the surge in reliance on digital platforms comes a heightened threat around attacks on online account credentials, from phishing attacks taking advantage of the vulnerable state of consumers, to data breaches of large enterprises leading to a rise in credential stuffing attacks.

Credential stuffing, a USD 6 million challenge

Industry experts consider credential stuffing to cost up to an average of USD 6 million a year per company, and one of the greatest challenges for IT security this year.

Cybercriminals and the techniques they use are becoming more sophisticated, resulting in a greater number of user password combinations being uncovered, and with increasing ease. It doesn’t help matters that 65% of people reuse passwords across multiple accounts, and most of us tend to be rather uncreative with our choice of login information.

As businesses, we not only have a responsibility of educating consumers on how to stay safe online, but we need to ramp up our efforts in protecting people from these attacks and create as secure an environment as possible for its users to operate in. This is especially important now in this ‘new normal’ where a forced adaptability to an online lifestyle has seen an increased reliance on digital platforms.

The job of a credential stuffer is in fact easier than that of most cyber criminals. It all starts with the password list. Attackers test stolen user-password combinations sourced from data breach leaks to architect networks of exploited devices called botnets. They then use these botnets to coordinate large-scale attacks, targeting as many entry points as possible. The aim? To misuse people’s online accounts and sell the functioning logins at a profit.

Hackers are now even trading ‘botnets-for-hire’ for nominal fees for use in widespread attacks. Stealing insignificant amounts of money from companies means they often go unnoticed, but it can add up to USD 6 trillion annually by 2021 .

Managing digital identities 

As businesses continue their digital transformation towards the cloud, mobile, and next-generation technologies, there is an emerging need to secure applications and authenticate users, keep hackers at bay, and maintain control over business-critical systems and information . There are a few key considerations when it comes to measures to not only thwart a credential stuffing attack but to give businesses greater control and protect their users without compromising on the user experience.

Multi-factor authentication is one step in the right direction. For a hacker to successfully hack an account with multi-factor authentication, they need access to the device – typically a mobile phone – as well as the breached credentials. This drastically increases the challenge and time required for an attacker to compromise accounts at the scale required to make a return on their investment, making it a significant deterrent.

Balance security with frictionless experience. Consider those using your services and ensure your security measures don’t hinder your ability to provide that frictionless user-experience consumers expect. By using intelligent threat analysis tools, you can tailor the security mechanisms depending on the user scenario. We call this adaptive authentication.

The importance of a frictionless customer experience at the login stage has changed the face of identity, meaning that security and customer experience can no longer be mutually exclusive. Ease and security has paved the way for multi factor authentication, passwordless login, one-time logins and social logins. Enterprises have long used old, on-premises IAM software to manage identity and access policies. But as companies began adding more cloud services, BYOD policies and expanding IoT devices to their environments, cyberattacks simultaneously became increasingly frequent . Legacy identity security required complex coding, internal resources, and valuable time to integrate.

For consumers, having to remember and manually enter another set of credentials costs precious time that they simply do not have to spare. SSO provides your users with a seamless authentication experience to all of the applications they need.

Turn to password alternatives. Another way to combat the rise of credential stuffing attacks is to target the root issue of password reuse. Realistically, as businesses we are not going to change consumers’ mindset of using the same passwords across multiple accounts – it’s been an issue for years, yet still occurs. What we can do is remove the need for new passwords.

This is where social logins come in. Existing login information from a social network provider like Google, Apple or Facebook is used to sign in, instead of the user creating a new account specifically for an individual website. For users, it provides a seamless way to login to the sites and apps that they use most frequently. For businesses, it provides a quick way to implement a secure signup and login system. For hackers, well it makes it a lot harder, with fewer login attempts or new passwords created.

Identity, authentication, and access management are critical elements of business operations, particularly as organisations accelerate their digital transformation to keep pace with the new normal. While data breaches are inevitable, credential stuffing attacks don’t have to be. By considering their identity infrastructure and encouraging a higher level of digital hygiene among employees and customers, businesses will reduce the threat and be able to scale in a more secure and sustainable way.


Leave a Reply

Your email address will not be published. Required fields are marked *