In 2020 State of New York fined Dunkin Donuts for more than $650,000 and forced the renowned chain to begin a Cyber Security Program that would solve a 5-years-lasting issue: user credential security.
The doughnut manufacturer was then requested to issue a mail that would inform all its customers about the data breaches that occurred between 2015 and 2019, giving them suggestions on how to request assistance and how to apply for a refund in case of unauthorized transactions executed on their behalf.
This means Dunkin had to refund fraudulent transactions that occurred through hacked users’ accounts for the whole 2015-2019 period. The most amazing thing is that this very expensive and durable hacking scheme, credential stuffing, is considered by Cloudflare (Internet Security Service Provider) a low success rate attack strategy.
How did it end up costing so much to Dunkin’ Donuts and its customer? How can you avoid making the same mistakes?
In this article, we’ll have a deep review of Credential Stuffing workings and how to prevent it.
What is Credential Stuffing
Credential stuffing is considered a variation of brute-force attacks.in this scheme, attackers manage to get lists of usernames and passwords from one or multiple sources. With the credential records they attempt to gain unauthorized access to user accounts on different websites and online services, by automated login attempts with all the credentials.
The automated tools used in the process are bots programmed to enter the stolen login information in rapid succession on login pages of different websites until they find a match.
As mentioned before, this attack strategy has very low success rates. However, given the huge number of attempts that attackers can try in succession, even a 0.1% success rate can turn into a considerable value for hackers. For example, let’s assume a credential stuffing scheme involves an attacker with 10’000 credentials. If they were to try those credentials on 10 websites, they would reach 100’000 attempts. Out of that amount of attempts, a 0.1% success rate corresponds to 100 successfully accessed accounts.
If on those 100 accounts, an average sum of 100$ was spent, we would immediately reach 10’000$ of stolen funds.
To reach 100’000$ of stolen funds it would be sufficient, statistically speaking, to try and use those credentials on 100 websites instead of 10 or to have 100’000 credentials instead of 10’000.
This is why, despite the low success rate, this attack strategy has been used many times and it still provides a good return on investment to attackers. The fact that it can be automated, the fact that stolen credential databases often have more than 100’000 records, and the fact that there are way more than 10 websites that can potentially expose someone’s credit card data, are all reasons why Credential Stuffing has been a treacherous attack strategy in the past few years.
In the next section, we will see how to protect from credential stuffing.
How to protect from Credential Stuffing
Credential stuffing attacks require both the merchant/service provider and the customer/user to use cybersecurity best practices standards:
- For merchant/service providers: enforce password security standards of length and complexity for your users. Allow them to enable multi-factor authentication and consider improving login security by tracking suspicious activity, like simultaneous login from very different geographical locations or device confirmation. Most importantly, use encryption or equivalent security measures to protect your customer’s data. Several techniques can help you make sure that even if data is leaked it is unusable and, in addition, you must enforce incident responce and reporting practice across your company to ensure your customers can take action as fast as possible.
- For users/customers: Never use the same password for two websites. You can rely on password managers to help you create and store secure credentials. Also, check the security settings of the website you navigate and be sure you have a good combination of security/accessibility settings. Minimise the credentials you create and the data you leave around the web by keeping in check which accounts you regularly access and which you don’t (consider deleting the latter).
If you are on either side and you do your part, you’ll reduce significantly the chance of success that Credential Stuffing attacks can benefit from.
Credential Stuffing, like other brute force based techniques, is a narrow success chance but high volume attack. Decreasing both volume of applicability and success chance are key factors in reducing usability of these types of attack. In order to discourage hackers from using it, and prevent any immediate threat, you can use the most common password creation best practice and choose carefully the information you leave on websites. Make sure your service provider enforces best practices (such as encryption of data at rest and in transit) before trusting them with your credentials and payment methods.