A recent finding by the SEC’s Office of Compliance Inspections and Examinations (OCIE), sourced from their examinations’ cybersecurity observations, indicates the rapid rise of a new threat. This threat is at large in the global cyberspace and offers an alternative way to access system accounts while bypassing traditional hacking practices.
The looming threat is called ‘Credential Stuffing.’ It’s the newer and ‘smarter’ way to infiltrate user accounts. Instead of committing their efforts towards password decryption techniques, hackers simply obtain the services of dark web programs. These programs have acquired lists of breached accounts, their associated email addresses, and their precious passwords.
How Big of a Threat is Credential Stuffing?
People often do not have multiple email accounts to work with. As such, they use the same email account for almost all the services that they employ. Consequently, the assumption that many people use their same passwords for multiple services is, rather unfortunately, a valid one indeed.
So, we have to ask ourselves: If a hacker has the credentials of one service that’s subscribed to from a user’s particular email account, what’s stopping that hacker from trying out those credentials on other services? This is the very principle that credential stuffing relies upon.
Therefore, it’s easy to see why a simple act of carelessness on behalf of the average user may end up with severe consequences.
How Does Credential Stuffing Work
Hackers acquire the credentials first and then move on to the next phase: testing those credentials against other services. They employ bots and automated programs to speed up the process exponentially. Not only that, they can expand the scope of their hacking efforts by using the automation software and can hack a significantly larger number of accounts than what they could have done manually.
Upon each successful cross hacking attempt, it’s even further possible to hack into other services that do not have the same login credentials. This is possible by creating password patterns. In this case, the next step is running brute force algorithms to effectively crack those unknown passwords, consequently gaining access to previously unknown credentials.
No firm is safe from these types of attacks and requires diligent patch-up practices and authentication protocols from service providers. With this clever trick, an old breached account that you may have even forgotten about has now led to your bank account details being compromised!
Tips for Prevention
There are plenty of ways to uphold the security of company userbases and personal data. These are the best possible practices implemented at either a corporate policy level or an everyday routine level.
1. Multi-Factor Authentication (MFA): Verification of user access at multiple levels ensures the robustness of a system. The more factors integrated, the better the security.
2. CAPTCHAs: The best way to stop bots and automated programs from brute-forcing passwords is by forcing users to make human input decisions.
3. Monitor Systems: Find patterns of high-volume login efforts.
4. Access Control: Limiting the number of financial transactions for users
5. Update Policies: Issuing newer protocols to meet new problems