Credential Compromise: What You Need to Know About Theft, Stuffing and Spilling and What You Can Do About it

Credential Compromise: What You Need to Know About Theft, Stuffing and Spilling and What You Can Do About it

As new technologies emerge, ever-vigilant fraudsters remain hard at work searching for and exploiting system weaknesses before they can be patched.

As new technologies emerge, ever-vigilant fraudsters remain hard at work searching for and exploiting system weaknesses before they can be patched.

One such form of cybercrime involves credential compromise. Credential compromise encompassing the theft, spilling and stuffing of user account information is not new. The cycle of infiltrating a company’s systems, stealing credentials like email addresses, user IDs and passwords, and then either using them directly for theft or selling them on the dark web to other criminal actors has been around for years. Its longevity can be attributed to ongoing success enabled by a number of systematic failures, including end-users’ propensity to recycle passwords from site to site, companies’ failure to identify and report compromises in a timely manner and weak systems security measures, as well as a hefty return on investment for fraudsters.

For example, according to Shape Security’s 2017 Credential Spill Report (January 2017), the return for cybercriminals on credential stuffing can be as high as 2 percent. So, for every 1 million stolen credentials, criminals could gain access to as many as 10,000 accounts.

Such activity plagues both businesses and end-users who transact across digital channels in increasing numbers and with increasing frequency. Aside from the hard-dollar costs involved in detecting and preventing credential compromise (or to clean up the aftermath of a breach), there are other, less obvious, but equally costly, ramifications.

Fortunately, the risk of credential compromise can be mitigated if you know what to look for and appropriate technology measures are deployed to combat it before it happens.

The Basics of Credential Compromise

Here is some of the latest terminology defining credential compromise:

  • Credential theft: Attackers hack into a system and steal end-users’ account login credentials (user IDs or email addresses and passwords).
  • Credential stuffing: The use of automated means (bots) to test a large set of stolen passwords against websites.
  • Password recycling: The tendency for users to use the same password across multiple online accounts.
  • Credential spilling: The release of mass amounts of user credentials onto the dark web.

The End-to-End Journey of Compromised Credentials

Step 1: Gain access to credentials

Criminal organizations and single actors use various methods to breach typical enterprise security protocols, including, Phishing/Smishing, Malware, Man-in-the-Middle attack, Mass compromise via network breach, and Insider theft.

Step 2: Validate the credentials

After a database has been breached by cybercriminals and access to mass amounts of user credentials has been gained, criminals who wish to either use the credentials themselves to gain access to other accounts to commit theft, or to sell the data to the highest bidder on the dark web, must first test the validity of the data. This is where credential stuffing comes into the mix.

Bots and Credential Stuffing

In order to gain that much-sought-after validation, credential stuffing is employed. As mentioned previously, credential stuffing involves mass testing of stolen login IDs and passwords using bots to automate the process. Bots in this context refer to malware infecting one or more computers or mobile devices that allows a criminal actor to takeover, control and use the infected machines to perform automated tasks, such as attempting account logins over numerous sites using stolen credentials. Bots are essentially the tool cybercriminals use to weaponize stolen credentials.

How to Detect Bots

Fortunately, using a combination of low and high-tech approaches to detection, enterprises can reduce the likelihood and damage inflicted by a bot attack.

  • Monitor for spikes in site traffic
  • Detect velocity of devices attempting multiple login attempts on multiple accounts over a short period of time
  • Leverage next generation of bot-prevention tools such as device intelligence, device fingerprinting, malware detection, machine learning and behavioral analysis.
  • Deploy security solutions that employ multi-factor authentication (MFA)
  • Risk score devices based on malware, location anomalies, operating system configuration anomalies, and fraud tool detection

 

Using a variety of techniques like these to identify and screen-out bots is a crucial factor in slowing and stopping bots before they inflict costly damage both in terms of expense and reputation.

In additional to implementing technology solutions to combat bots directly on your systems, an enterprise may also choose to work with firms that specialize in investigating and exposing cybercrime. Such cybersecurity firms are able to obtain information from the underground criminal forum where the customer information is released and many times will conclude that the breach is greater in scale than originally assumed. Often they can obtain a sample of the data breach and recommend procedures against further exposure. 

Step 3: Use the Validated Credentials

Once cybercriminals have validated the stolen credentials, they are ready to be released on the dark web or sold to the highest bidder. Essentially, stolen and validated credentials are used for the purposes of account takeover – either as means of gaining access to additional valuable information, or to directly commit transaction fraud.

Once a winning combination of credit card details, IDs and passwords has been stitched together, fraudsters can begin with monetization. Bots may either start with a single high-value CNP transaction or attempt to deploy many small transactions that fly under the radar.

Impact to Businesses

While hard-dollar fraud losses resulting from compromised credentials is an overwhelming concern for businesses and consumers, the theft, stuffing and spilling of credentials has far broader implications to reputation and consumer satisfaction.

Financial

Regarding the financial impact of credential compromise, Shape Security has already identified $1 billion in attempted fraud from credential stuffing attacks in 2016 alone. Aside from the money that disappears from accounts and must be reimbursed to consumers, businesses must also face the added expense of extra man-hours and implementing technology solutions to detect, prevent and manage such attacks. The simple impact of the increased site volume generating by credential stuffing has an overwhelming effect on an enterprise’s servers, resulting in outages and slow response times, as well as necessitating ramped up support center staffing to handle queries from concerned or irate customers.

Confident Decisioning

Additionally, credential stuffing has a profound effect on an organization’s ability to accurately track and leverage valuable insights regarding site traffic through reporting. Valuable metrics like site visits, click-through rates and conversions are used by e-commerce sites and others to analyze performance and make strategic decisions. According to the Shape Security report, “90 percent of login requests on many of the world’s largest web and mobile applications is attributable to traffic from credential stuffing attacks.” Such skewed information can have a profound effect on an organization’s ability to confidently use site analytics to make strategic decisions.

Reputation and Consumer Satisfaction

Massive numbers of password lockouts and reset attempts not only generate a high level of frustration among end-users, but also creates staffing challenges, encourages password recycling among users and inflicts damage to your business’s reputation.

An unexpected influx of authentication calls into a large organization’s call center can cost several dollars per call; however, customer frustration and lack of trust in an organization’s ability to protect sensitive account and personal information can be far costlier.

Stay Ahead of Cybercriminals

Credential compromise isn’t going away any time soon. Nor are bot attacks that enable cybercriminals to validate sensitive information that provides a hefty ROI for them and facilitates financial theft with increasing sophistication.

It’s essential that security professionals employ every weapon in their arsenal – from monitoring, to bot detection, device authentication, identity verification and malware prevention solutions.

The stakes of a credential breach are high, presenting an alarming risk your organization’s bottom line, reputation and customer trust and loyalty. No matter the type of information your business collects in its systems, it should be protected as if it were virtual gold, because to cybercriminals, it might just be.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3