Most people are probably used to leaving Chipotle feeling stuffed, but some customers recently had a different experience. According to reports on popular social media channels, pirated user accounts were used to order food for delivery, often to several states and sometimes in quantities that cost account owners hundreds of dollars. The popular chain maintains that there has been no data breach. In fact, all signs point to a different type of attack: credential stuffing.
Credential stuffing is the practice of hackers bombarding a site with a user ID and password combinations that are already known as usable. They create a giant database of these credentials and then slam them against every known e-commerce website until they find several ways in.
The Credential Stuffing Crisis
Most people use the same few passwords for all of their online accounts. It’s easy to understand why: Research from LastPass indicates that the average business person juggles 191 passwords, which is a tall order under the best of circumstances. To ease the burden, an alarming number of users — 59%, according to data compiled by LogMeIn — recycle their old passwords for new accounts even though 91% know it’s a risky practice that compromises their security.
Last year’s breach of Marriott/Starwood compromised as many as 500 million guest accounts, and the breach of Equifax in 2017 lost 147 million. However, these pale in comparison to Yahoo’s fumble of 3 billion user accounts in 2013.
With so many high-profile breaches making headlines, one thing is certain: Your old login credentials have been exposed. Not only that, but they’re certainly available for purchase on the dark web at prices so low they make the best Black Friday deals look like outrageous ripoffs. While data from Experian illustrates that login info for payment services such as PayPal can fetch anywhere from $20 to $200, general logins cost as little as $1. That’s bad news, especially considering how often those credentials are identical.
For cybercriminals, these databases of stolen credentials represent a treasure trove that can yield massive paydays. All the bad actors have to do is find out which key fits in which lock. That’s where the practice of credential stuffing comes into play. Criminals use software designed to try huge numbers of username and password combinations with every login they can find on the web. That means they try logging in to financial institution websites, payment processors such as Venmo and PayPal, e-commerce sites such as Amazon, and anywhere else they think would be beneficial to hack.
Cybercriminals have many tools, from SNIPR to Sentry MBA, available to conduct credential stuffing attacks. It’s a numbers game, and the success rate might surprise you. According to one security provider, between 0.1% and 2% of credential stuffing attempts are successful. If that number sounds low, consider that internet infrastructure firm Akamai attributed 30 billion login attempts to credential stuffing in 2018 alone. That’s an average of more than 80 million every single day.
Protect Your Customers From Credential Stuffing
If your systems are hacked, it exposes your customers to being used in credential stuffing attacks. That erodes the trust your customer has placed in you. How you prepare for and respond to any kind of attack is as important as the breach itself. Taking a few basic precautions will show your customers that you care about their data security and their trust:
#1. Use firewalls on the front lines
Firewalls are your first line of defense against credential stuffing. Once in place, they can block a sudden flood of invalid login attempts that can only be brought on by malicious software guessing at user credentials. Costing $3,000 to $4,000, it’s money well-spent. Firewalls are also useful because they block the types of attacks that can clog a small business’s limited bandwidth and bring your network to its knees.
If you notice a slowdown in network speeds and you’re seeing a huge amount of traffic from a single IP address, a firewall will help you block that bad actor and shut the attack down quickly.
#2. Adopt two-factor authentication
If firewalls build a moat around your networks, two-factor authentication is the sentry at the gates. Firewalls can block the majority of credential stuffing attacks, but they can’t protect you against a hacker actually getting a username-password combination right. If one of your employees had his login information stolen in the Equifax breach and he relies on the same credentials for your small business network, you need a sentry to stop a bad actor from using those credentials to get into your network. That’s where two-factor authentication, or 2FA, comes into play.
With 2FA, login attempts require a second form of user authentication. Typically this confirmation comes in the form of a text message sent to a phone number or email address — a device that a hacker wouldn’t have access to. For an even more secure solution, rely on software such as Google’s Authenticator app to produce a time-sensitive access code that verifies the authenticity of the login attempt.
#3. Verify security with VPNs
The ability to log in to your business network from outside the office is the norm. After all, it’s how you and your employees get work done on the road or grant access to contractors. This can be a boon to productivity, as long as you pay attention to network security. If you’re working from a coffee shop, for example, you probably join the click Wi-Fi that looks like it’s provided by the shop. But appearances can be deceiving.
If that channel was created by a hacker, then it’s used to spy on your online activity and intercept the data you send. To make insecure networks secure, rely on a virtual private network. VPNs encrypt data as it’s transmitted from one location to another, so those hackers intercepting it are left with garbled information that’s almost impossible to decipher.
#4. Secure your team
Employees might balk at new cyber-defense efforts such as two-factor authentication, but executives are often the biggest source of the complaint. No matter where the naysayers reside on the corporate ladder, getting buy-in is typically about education above all else.
When people know how easily the company network could be compromised and learn about the consequences that accompany such a catastrophe, they’re less likely to complain about the one extra step when logging in. They’ll also be more amenable to those annoying password changing requirements you impose, and they’ll be less likely to use an old favorite when they come face-to-face with the facts of credential stuffing.
Small business owners often mistakenly believe that they’re too small to be a target for hackers. But all businesses are vulnerable to credential stuffing because virtually every company has someone whose credentials have been stolen from somewhere. Fortify your defenses to prevent your company from becoming the next credential stuffing casualty.
Has your company fallen victim to credential stuffing? How did you deal with the fallout? Sound off in the comments below.