One of the biggest threats facing both large and small businesses alike goes by the moniker credential stuffing. In these attacks, the bad guys count on our reuse of passwords across two or more logins, and once they find a user name/password that works, they try to use that information to break into our other accounts. Akamai, in its latest State of the Internet report, says that it has seen over 193 billion credential stuffing attacks in 2020. These attacks can cost billions of dollars annually, when adding up the cost of remediating the problem, handling all the user calls for password resets, and changing other operations.  

We’ve covered this topic several times, including our recent advice on how to stay safe online and use password managers to prevent password reuse.

The office of New York Attorney General Letitia James has found thousands of posts containing login credentials that had been tested in credential stuffing attacks on a website or app and confirmed that they provided access to a customer account. From this master list, they compiled login credentials for 1.1 million customer accounts at 17 well-known companies, which included online retailers, restaurant chains, and food delivery services. In order to combat credential stuffing attacks, James’ office recently released a business guide.

The guide outlines a series of steps that business owners can take to boost their cybersecurity.

First, detect and defend against credential stuffing attacks using a variety of tools. The first and foremost measure is to use multi-factor authentication (MFA). The guide mentions that their office found one business that had tried to implement MFA but didn’t do it properly, and as a result, the business had 400,000 compromised accounts. As is stated in the business guide, “Businesses should ensure their MFA implementation is thoroughly tested and monitored for effectiveness.”

Another solution is to detect account lockouts for failed logins. This is typically done using threat intelligence software that can detect frequent login attempts, especially from unknown IP addresses. One restaurant chain reported in the guide that its bot detection vendor had blocked more than 271 million login attempts over a 17-month period. One resource that we have mentioned several times is to make use of Troy Hunt’s central database of leaked account credentials, Have I Been Pwned?, along with using Avast BreachGuard, which alerts you if your data has been involved in a breach.

Other suggestions include using so-called passwordless technologies that incorporate MFA with hardware fingerprints (a topic discussed in this podcast episode of Tech and Main) and to employ a web application firewall to trap bot activity and monitor customer access of your corporate network assets. It’s not recommended to rely on CAPTCHA challenges, since these can easily be defeated by software.

Next, prevent fraud and other misuse of customer information. The Attorney General’s guide recommends that you should review fraud cases regularly and have a clear communication channel between your customer service department and your IT security help desk. Some of this fraud can be due to how a business structures its online payment workflow. For example, the guide reports on one situation where orders placed to a new address would require re-authentication if the customer paid using a stored credit card, but not if the customer used a card that carried store credit. Attackers that gained access to a customer account would initially place an order to an existing address using the customer’s stored credit card. The attackers would then immediately cancel the order, obtain a refund in store credit, and place a new order to a new address using the just-issued store credit without completing any re-authorization. The guide recommends that businesses re-authenticate everyone at the time of purchase (such as entering the CVV with a credit card on file). Other suggestions are to make use of a third-party fraud detection service, and also use phishing awareness programs to help train customer service agents on how to recognize various social engineering techniques.

Finally, ensure that you can quickly respond to a credential stuffing incident. Promptly investigate all suspected breaches and act quickly to remediate and block the attackers and notify your customers.