paint-brush
The Anatomy of Credential Stuffing Attacks in 2020 by@gershwin.aaron
319 reads
319 reads

The Anatomy of Credential Stuffing Attacks in 2020

by Aaron GershwinSeptember 23rd, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

The Anatomy of Credential Stuffing Attacks in 2020 will be revealed by Aaron Gershwin. This year, 2020 reports are revealing an increase in cyber-attacks and consequential financial losses. The FBI released a PIN (Private Industry Notification) warning about a spike of these kinds of attacks against the US financial sector. Gershwin recommends a few password managers that excel in particular fields that they excel in protecting your online accounts and protect your accounts. The most common passwords still include "12345", "password", "qwerty", and alike.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - The Anatomy of Credential Stuffing Attacks in 2020
Aaron Gershwin HackerNoon profile picture

This year began in chaos. The chaos brought numerous challenges to both businesses and employees alike. With a significant portion of the population working from home, home network security and online safety's been brought to the forefront of technological challenges. Now that the year is coming to a closer end, 2020 reports are revealing an increase in cyber-attacks and consequential financial losses.

At the beginning of last year, a report came out that "Hackers Are Passing Around a Megaleak of 2.2 Billion Records." Data leaks have been a problem for over a decade, and several years later they were capitalized by cybercriminals in the form of Credential Stuffing cyber attacks. This February it was reported that Credential Stuffing attacks started targeting APIs, making them particularly dangerous for financial institutions. And two weeks ago the FBI released a PIN (Private Industry Notification) warning about a spike of these kinds of attacks against the US financial sector.

But Credential Stuffing attacks hurt casual Internet users just as much as they do businesses. At the very end, it is their accounts that are being taken over, as many Disney+ early subscribers could confirm, having their accounts stolen and sold for as cheap as $3 on black markets, instead of $6.99 original cost.

However, as will be soon explained, Credential Stuffing massively relies on incompetent password use and, more importantly, reuse, and there is a simple solution to the problem - password managers. So let's overview what a Credential Stuffing attack is, and how exactly can password managers help with the issue, with some noteworthy service recommendations at the very end of the read.

What is a Credential Stuffing attack?

One of the main reasons that Credential Stuffing attacks became so common is the lack of technical skills required to carry out one. The principle is this:

1. A massive amount of username-password combinations, called combolists, leak from some vulnerable services (for example, infamous Marriott hotel data leak);

2. These combolists are being sold or passed around in the black markets and obtained by an interested party;

3. With the help of automatization software and a proxy list or a botnet, the combolist is tried on another service in hopes that the same password was reused;

4. In case of success, account takeover is initiated.

The process is straightforward and usually has 0.5%-3% success rate, which is a lot considering combolists may contain as much as 5 million leaked units if not more. A common mistake, as cybersecurity writers at password manager NordPass inform, to notice is that having a complex password makes no difference if the same password is reused twice or more - that's what "Stuffers" hope for in the first place.

Earlier this year, American computer and network security company RSA Security released a threat report drawing attention to the "credential stuffing gold rush." The point to take from the report is an emphasis on the monetization part of Credential Stuffing. There are concrete and easily extractable profits from these undemanding attacks. And that seduces many cybercriminals, hence the "gold rush". Check the image below for possible account types to be exploited for an easy grab.

Furthermore, according to SplashData, the most common passwords still include "12345", "password", "qwerty", and alike. This way there's not even a need for a username-password part, because cybercriminals can try stuffing these generic, and, unfortunately, still used classics in hopes of success. That's why it's important to use separate and unique passwords for each service you use. LastPass reported that a business user manages 191 passwords on average; needless to say, it's not possible to remember that many different passwords, and writing them down in one place defeats the whole purpose.

Luckily, password managers have been there for a long time, some going as early as 2003, and some joining the market as we speak (check the password manager recommendations at the end of this article). However, various researches still inform that password managers aren't implemented as widely as they should be, and standard practices of remembering my passwords fall flat. That's why I'd like to draw attention to the more secure way of protecting your online accounts and recommend a few password managers that excel in particular fields they specialize at.

How do password managers work?

First of all, password managers allow storing different, unique, complex passwords in one place, without exposing these passwords to the risk of being leaked. Furthermore, most advanced password managers have zero-knowledge architecture, which means that not even they could take a look at your passwords, even if some rogue admin at their company felt like it. So how do they do that?

What password managers do is take all your passwords and encrypt them in one place, called the vault. Encryption standards may differ, and so may the place where the vault is stored. In layman's terms, it may be an offline password manager, storing your passwords on your device and nowhere else; or it might be a cloud-based password manager, which holds the vault on the server. Both have pros and only a few cons, however, both methods are considered trustworthy.

Instead of remembering all your passwords, you only need to remember one - your master password. The master password is used to decrypt the vault solely by you, and only you do the encryption/decryption, because of zero-knowledge architecture. In a cloud-based solution you send the master-password to the server in multiple times hashed form (a method of encryption) so the server cannot derive the original password from it and unlock the vault. The master password cannot leak or be stolen from the server. This is a simplified explanation, for those interested in digging deeper I'd suggest reading the rest of my cybersecurity articles on Hacker Noon.

The key takeaway is that all of your different passwords are encrypted and unattainable to anybody else except you. That's why it's highly advisable to remember the master password by heart, or write it down and put somewhere only you will find because once it's lost nobody will be able to retrieve your passwords.

That's why password managers work and are widely recommended by cybersecurity experts. 

Having in mind that different password managers suit a particular category of users, I'd like to recommend three divergent password managers that excel in specific areas. A user-friendly password manager for comfort, a freemium password manager, and a free password manager for advanced users. But keep in mind, that doesn't mean other services in the market are less suited for your needs and doing your research is a good way to go.

NordPass

Ease-of-use with advanced encryption.

NordPass joined the password manager industry in 2019 from the same company that owns a prominent Virtual Private Network NordVPN. VPNs rely heavily on encryption, and it reflects on this product, because, to my knowledge, NordPass is the only password manager that uses XChaCha20 encryption instead of the commonly used AES-256 algorithm. You can expect this password manager to work slightly faster. However, a stronger argument would be that XChaCha20 is a more innovative way of handling encryption and already is being implemented by Google and Cloudflare.

Furthermore, NordPass, alongside his big brother NordVPN, is known for minimalistic easy-to-use App design and responsive customer support. You will be able to easily add-remove passwords, autofill them in web pages instead of tiresome typing, cross-device functionality and secure password generating, among other features. Data breach scanner, which will alert you if your password has been leaked, is scheduled soon - a valuable addition to an already promising service.

LastPass

Best freemium password manager.

LastPass is one of the best-known password managers that was introduced in 2008. It offers a fully functional free service, which can be upgraded to premium or family plans. With browser extension on all major browsers, it allows password autofill, cross-device compatibility, Multi-factor authentication (MFA), and more. Upgrades will enable priority technical support, 1GB encrypted file storage, DarkWeb scanner for password leaks, and password management benefits for family use. 

Since it's been in the market for a long time, LastPass had a few vulnerabilities, none of them resulting in password leak or compromise. Furthermore, the last serious issue was fixed within 24 hours, strengthening their reputation as a hard-working business that takes security seriously.

KeePass

Free password manager for advanced users only.

KeePass has secured a rock-solid reputation among those willing to put an extra effort into learning to manage a powerful cybersecurity software. Moreover, it's open-source software, which is appreciated by software developers who want to know the intricacies of the service they use or even contribute to fixing the bugs and making improvements.

Nevertheless, KeePass has been praised for granting complete control over your data and high customization. If you're a tech-savvy person that likes the challenge of setting things up your way - this service will not leave you wanting more. Summing that up with the availability of various plugins and improvements is what makes KeePass a solid choice for advanced users.