Access control provider Auth0 has released a new set of tools that it said can reduce the effectiveness of credential stuffing attacks by 85%. The new features are lumped together in what Auth0 calls Bot Detection, and all are designed to reduce the chance that a credential stuffing attack is successful.
SEE: Identity theft protection policy (TechRepublic Premium)
Credential stuffing is a common method of brute-force cybercrime that involves using credentials stolen from one breached website to try logging in to another. There’s no guarantee that a person has an account with a target website, nor that they’re using the same password, so credential stuffing attacks involve tossing stolen credentials at login pages by the bucketful. If one sticks it’s worth the attacker’s effort.
“Sometimes they come in the form of hundreds of thousands of login requests to a site in a short time window, at a very high velocity, and from a relatively small number of IP addresses from unusual locations. They can also come in the form of scripts that send traffic using tactics to dynamically evolve their velocity, location, and number of IP addresses to avoid detection,” said Auth0’s Antonio Fuentes in a blog post about Bot Detection.
Fuentes added that the tradeoff in protecting users and organizations is typically more hassle for the legitimate users, like multifactor authentication and other tools that make it harder to log in.
“To tip the scale in favor of user experience, malicious bots and scripts need to be detected and rejected before the authentication server even processes a login call,” Fuentes said. It’s from that perspective that Auth0 created Bot Detection.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Because credential stuffing attacks use login pages to exploit stolen credentials, the simplest way to interrupt their attack flow is to throw up a CAPTCHA page, which is what Bot Detection does by correlation of a variety of data sources to determine if what’s happening is in fact an attack, and whether or not it’s coming from a bot.
The criteria that Bot Detection uses includes monitoring IP addresses, numerous failed login attempts from multiple accounts in a short period of time, IP reputation data that records whether an address is known to launch attacks, and records of known stolen credentials.
At launch Bot Detection will only be supporting Auth0’s Universal Login, but the company has plans to expand it to other platforms as well. If your organization is using lock.js, lock.android, or lock.swift you can still take advantage of Bot Detection now, but only to support an exception scenario, not to do all the things that a full Auth0 Universal Login client can do.