Protecting your business at every turn.
Credential stuffing: the latest cyberattack business owners need to know about
By 2 September 2020 4 min read
In mid-August, 2020, the Canada Revenue Agency (CRA) announced it had been the target of credential stuffing attacks. Thousands of CRA customer accounts had been compromised and cancelled as a result.
Credential stuffing attacks represent one of the biggest cybersecurity threats to businesses and individuals in the past five years. Even worse, their sophistication is increasing. But many business owners aren’t even aware of the threat.
What is credential stuffing?
Credential stuffing can get complicated, but the essential idea is simple. Hackers acquire a database of usernames and passwords through a cyber breach or purchase a list of credentials on the dark web1. They then use automated bots to run these stolen credentials through various online accounts and platforms like online banking sites to see if they can find a match. The rewards for the criminals can be significant
According to the experts at Digital Shadows, there are more than 15 billion credentials in circulation available for purchase on cyber criminal marketplaces on the dark web. That represents a 300-per cent jump in under two years. The attacks aren’t just targeting bank accounts—they can also access highly sensitive information or hijack your social media with misleading or damaging posts.
Skip the password repetition
Credential stuffing is powerful because it preys on human nature. Convenience is the word of the century, particularly when it comes to our digital lives. As the digital footprints of businesses and people continue to grow, coming up with unique usernames and passwords for our corporate accounts, social media or online banking becomes more of a burden.
“If you are reusing your password, even if you are recycling it, it is at risk because someone might have it,” warns Aisha Kitchelew, ATB senior manager, fraud investigations and cyber crime. “If you find that your credentials are stolen, but then reuse the same username or password even years down the road, you are still at risk because those credentials can circulate for years after on the dark web.”
Credential stuffing can work for more than passwords.
It is very common for individuals to reuse the same email address or username to log onto different websites. Similar to this, PIN codes for your cell phones and debit cards are also commonly shared. Cyber criminals love to take advantage of these vulnerabilities, and credential stuffing is one of the ways they do so, in increasingly growing volumes.
If a fraud threat group gets a match when running your company’s credentials through a credential stuffing attack, they will almost immediately log on and access your funds with one goal in mind—to maximize monetary gain. For example, a cyber fraudster might not be able to get into your company’s bank account but could buy merchandise in your company name through a business account, then resell it on the open market.
Credentials are often resold on the dark web after the first cyber breach, then reused months or even years later. Again, successfully, because people either weren’t aware of the breach or did not change all their passwords. After a credential stuffing attack has been executed, the fraud threat group will take it one step further by posting the list for sale on the dark web, to get every little bit out of it that they can.
Steps to protecting your data
Fortunately, your toolkit is far from empty when it comes to prevent credential stuffing attacks. Here are some important steps you can take:
Monitor onsite traffic to catch any usual patterns,
such as numerous failed logins, or a sudden increase in failed attempts. Larger corporations and financial institutions invest in bot screening, which is automated technology that will monitor aberrations like an increase in logins, failure rates, and differentiate between human and non-human behaviour.
“reCAPTCHA is known as one of the most effective ways to detect bots,” says Kitchlew. The familiar aid presents a table of photos asking the reader to identify, say, which ones have cars in them. “This is a very reliable tool for online businesses to have,” she says.
Keep up with cybersecurity advances and news of website breaches.
Find out when it happened and if you or anyone in your business had any dealings with the hacked business and change your passwords.
Implement multi-factor authentication (MFA).
MFA is using a secondary device to access an account online—like receiving a text message or using an authenticator app on your smartphone when logging in on your computer. The use of MFA prevented the majority of bulk phishing and bot attacks, according to Google and Microsoft.
Use risk-based authentication.
When someone logs in with risk-based authentication, the system will identify the IT address, field location and user, and then decide whether they are likely a legitimate user or not.
Say “no” to storing your username and password on favorite sites.
It will mean sacrificing some convenience, but consider this—if Equifax, one of North America’s largest consumer credit reporting agencies could get its database stolen, alongside other major organizations like the CRA, your favorite container manufacturer or third-party supplier could, too.
Five more steps to protect your business
- Use complex passwords and get a password manager.
- Don’t reuse logins and passwords. Have a strong username—don’t use your email address.
- Rotate your passwords—the more critical the site, the more often you should be changing.
- Involve your customers—ask them to choose complex passwords, change them and not share.
- Educate your team members about cyber risks and give them the tools they need to keep the business safe.
Your business is worth more than its value. It is your livelihood and your future. Stay a few steps ahead of the game by recognizing these risks and making your cyber strategy strategy as sophisticated as your enterprise.
You might be interested in
Although sometimes used interchangeably, deep web and dark web are not the same.
The deep web is anything on the internet that isn’t accessible by a search engine like Google and includes anything behind a paywall or that requires sign-in credentials.
Things like medical records, membership websites and confidential business web pages are on the deep web, which takes up between 95 and 99 per cent of the internet.
Dark web is a subset of deep web, and one that needs a specific anonymizing browser to access. While the encrypted network was launched in the late 1990s to provide anonymity for human rights and privacy activists, criminals quickly found ways to create an underground marketplace for illegal activity.
The dark web does however, continue to be a vehicle for free speech, a resource for places where internet use is criminalized, a home for educational institutions, whistleblower sites and even Facebook.
While we want this information to be useful for you, we make no promise, representation or warranty about its accuracy or completeness. We don’t accept any liability or responsibility whatsoever for any loss arising from any use of this document or its contents. This information is not kept up-to-date. Without our prior consent, this document may not be reproduced in whole or in part, or referred to in any manner, including any information, opinions and conclusions it contains. This document is provided for information purposes only and is not intended to replace or substitute for professional advice.