Password Reuse, and the Growing Threat of Fake Logins

---

---

Collecting large amounts of customers’ sensitive data and storing it on Internet-accessible systems has become commonplace. Modern consumers expect to be able to manage their bank account, go shopping, and post on social media from their smartphone. These accounts also need to be easily accessible and usable for legitimate users, meaning that most are protected simply by usernames and passwords.
 
However, the need to make data easily accessible to consumers creates significant issues for data security. An attacker who gains access to a user’s account may be able to collect a great deal of sensitive information and even to leverage that access to attack the organization. The combination of frequent data breaches and poor password security by users gives attackers ample opportunities to gain and abuse this access.
 
Data Breaches and Password Security
 
Data breaches have become an everyday occurrence as cybercriminals take advantage of weak cyber defenses at many companies to gain access to customers’ sensitive data. While the details and scope of these breaches can vary dramatically, they tend to share some commonalities.
 
One of the common threads in data breaches is leaked customer credential databases. In order to authenticate users to a web page, the organization needs to store some type of credential information to compare provided passwords against. This is typically accomplished by storing password hashes, which make it impossible for an attacker to determine the user’s password from the provided hash.
 
However, storing credential information securely does little to protect user credentials if these credentials can be easily guessed by an attacker. Many people use weak and easily guessed passwords, which can be easily identified in a set of breached data and used to authenticate to that service. Not only that, but 59% of people use the same credentials for all of their online accounts, making the impacts of a breach must worse.
 
Fake Logins for Credential Stuffing
 
Once an attacker gains access to a user’s credentials, through a data breach, phishing attack or other means, they often use it in a credential stuffing attack. Credential stuffing attacks involve testing lists of breached credentials on a new service. For example, hackers may take a leak of passwords from a site like Facebook and then try to use the same sets of credentials to log into common online banks. If they are successful, they gain access to the account and can leverage that access directly or resell the credentials as “verified” for that service.
 
As the number of data breaches containing user account credentials have become more common, the credential stuffing attack has grown in popularity among cybercriminals. In fact, 53.3% of social media login attempts are fraudulent. The fact that credential stuffing attacks can easily be automated means that attackers can try to log into social media services more often than the billions of legitimate users.

Once an attacker has access to a user’s online account, whether social media or otherwise, this access can be leveraged in a variety of different ways. Many of these accounts have access to a great deal of sensitive information that can be sold on the black market or used in blackmail, spear phishing, or other attacks. Alternatively, some organizations’ websites have vulnerabilities that are only accessible to authenticated users, so access to a powerful account on the service can act as a stepping stone for future attacks.
 
Regardless of the details of the attack, credential stuffing attacks can easily result in a large-scale data breach and significant damage to the user and company alike. Whether the attacker steals a single piece of data from thousands of accounts or leverages a single powerful account to steal an entire database, failure to protect user accounts against attack can potentially result in damage to a company’s brand image and penalties being levied by regulators for non-compliance and poor protection of customer data.
 
Detecting and Preventing Data Theft
 
Most cybersecurity solutions are designed to protect against unauthorized users gaining access to sensitive data or functionality. These solutions look for attempts to exploit vulnerabilities in Internet-facing services designed to gain an attacker initial access to the internal network.
 
However, in the case of credential stuffing attacks, an attacker doesn’t need to use these tactics to get access to user accounts. With access to a potential set of valid user credentials, an attacker only needs to take “legitimate” actions to access the user’s account, i.e. an attempted login. Protecting against brute-force password guessing attempts is typically based upon detecting an attacker trying a large number of incorrect passwords before finding the correct one. Yet, the number of people that reuse passwords across services and the availability of these passwords in breach datasets may make it so an attacker only has to guess once to find the correct answer, which is no different than the behavior of a legitimate user.
 
In these cases, protecting a user’s sensitive information against being breached requires the ability to differentiate between legitimate user behavior and that of an attacker when both have the correct credentials for a system.
 
As a result, protecting customer data in the new world of data breaches and credential stuffing attacks requires organizations to deploy security solutions that use behavioral analytics to identify when attempted access to data or a user account is likely benign or malicious. Organizations should also deploy multi-factor authentication (MFA) solutions to raise the bar for attackers attempting to take advantage of stolen user credentials.