How to avoid credential stuffing attacks

Hackers used data stolen from a gaming site to get logins to a British mobile network's site. Learn about how it happened and what you can to do protect yourself.

Image: iStock/chainatp

The BBC reported last week that private customer data (email addresses, phone numbers, passwords and birth dates) owned by British mobile network O2 was stolen and then sold on the "dark net" by hackers. The dark net, or dark web, refers to a shady part of the internet, outside the realm of search engines and accessible only by certain browsers, where criminals often engage in dishonest or illegal practices.

SEE: How to safely access and navigate the Dark Web

This isn't a data breach per se, as O2 systems were not directly compromised. According to the article, hackers got into accounts by a process called credential stuffing. This entails using special software to "repeatedly attempt to gain access to customers' accounts by using the login details it has obtained from elsewhere In this case, the hackers were trying login credentials stolen three years ago from a gaming website called XSplit. In some cases, users had the same username and password, so the login was successful.

This can lead to further problems for victims of this technique. If the passwords match those of accounts on other systems or sites these accounts may be compromised, or criminals might commit identity theft using the private data of their victims. Some O2 users have already reported that fraudulent activity occurring on other accounts they own.

The source of the problem - and the solution - are fairly obvious here. Using the same password in multiple places is a very bad idea. "Password re-use can cripple even the most secure systems," stated Travis Smith, senior security research engineer at Tripwire. "Using authentic credentials rather than attempting to leverage exploits is less risky for the attacker, as security tools are more likely to detect an active exploit. Since passwords are commonly re-used across websites, stolen credentials from one breach are often used across other sites."

I spoke further with Smith about the details behind the O2 incident.

How did this attack happen?

TS: "Indications are that this was a password re-use attack. Criminals compile credentials stolen from other breaches and attempt to authenticate against unsuspecting websites. It's impossible for a website to know if their user's passwords are re-used elsewhere on the internet. Deploying anomaly based detection tools, such as detecting and/or preventing a user from logging in from a new IP address, can help incidents such as this. However, deploying these tools is complex, costly, and may produce too many false positives to the end-user, which means businesses may not get an adequate return on investment compared to other security technologies. "

How common is this type of attack?

TS: "It's difficult to gauge how common this type of attack actually is. Attackers are logging in with valid credentials which don't raise any security alarms on the target website. Only when the resulting data is marketed and sold on the black market is it made public that the website was a targeted victim of password stuffing. What we do know is that it's incredibly easy for criminals to parse through a password dump and automate the procedures to test if the credentials are valid on any number of websites."

How can end users leverage password managers and two-step authentication?

TS: "Many password managers are available for end users, including some which are free. The benefit of a password manager is that it allows end users to easily create not only unique passwords for each service, but more importantly create long, complex, and random passwords which are not easily guessed through brute force techniques. As long as the manager's password is sufficiently complex and not easily guessed, this is a great way to keep an end user's identity safe.

Two step authentication is more difficult for an end user, simply because it's up to the web service to implement that feature for their website. Generally speaking, the user has to prove they own a separate device to gain access to the service. This can be something such as a text message sent to a phone, a rolling passcode, or a key fob in their possession. No matter the technique, the end-goal is to make it harder for an attacker to gain access to another person's account. Even if a password is stolen, the attacker will need access to the secondary device to gain any legitimate access."

What can IT to do protect users?

TS: "First and foremost they should practice what they preach. Enabling two-factor authentication on company-owned assets such as email and intranet sites will force employees to understand the overall procedures of using something such as two-factor authentication. Most end-users either aren't aware of two-factor authentication or consider it too cumbersome to use unless it's a requirement. When employees are forced to perform these activities on a daily basis, it becomes a routine. By making security a routine, employees are more likely to choose security features such as two-factor authentication, even when it's not required."

Two examples of password managers are KeePass and Password Safe. Both are free and securely store account details such as user IDs, passwords and website links within a central encrypted database. The ability to copy and paste details makes them user-friendly and the database can be shared among multiple individuals such as family members or coworkers. It's also possible to store the associated files in Dropbox or Google Drive so they will be synchronized to all devices registered with these services.

SEE: How to set up Authy on multiple devices for more convenient two-factor authentication

There is a cost factor involved with two step authentication in the form of either physical devices or additional IT labor/customer inconvenience. (It's important to weigh this cost against the cost of a data breach, though.) Therefore, chances are these implementations will likely grow more rapidly in private companies versus public websites like Amazon or eBay. However, as the security landscape continues to evolve we can expect this technology to grow in popularity and prevalence, and users can - and should - start protecting themselves immediately with password managers.

Also see
IoT hidden security risks: How businesses and telecommuters can protect themselves

How to avoid ransomware attacks: 10 tips

New US cybersecurity plan makes it easier for businesses to get help after an attack
From the dark web to the 'open' web: What happens to stolen data
How to set up 9to5Google for easier two-factor authentication

About Scott Matteson

Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.

Editor's Picks

Free Newsletters, In your Inbox