Propensity to use the same password makes user accounts vulnerable to takeovers
As per Forrester, 52% of internet traffic is non-human (i.e., bots). In past studies that we (ShieldSquare) conducted, we found out that login pages are one of the most attacked pages/screens of websites/Apps by bots. The recent security breach at Facebook was a type of account takeover attack.
Why is account takeover (ATO) one of the most common forms of cyber attacks -
a. ATO is the 1st step in many other types of attacks e.g., Carding, Gift Card Fraud, Data Mining, Content Theft, Theft of PII, etc. Hence, a successful account takeover is the leverage that works like an exploit-kit, which you can use to conduct other nefarious activities.
b. Verified user credentials are sold in dark web at a high price. In other words, successful account takeover works like a currency.
But why such a huge number of fraudsters are trying their luck at it?
Even though fraudsters are not committing any financial fraud yet if they can verify the stolen credentials on many other popular Internet platforms by exploiting users’ propensity to use the same pwd at multiple portals, they can make a lot of money. Of course, they use automated scripts (bots) to validate stolen credentials at these popular portals. Hence, this approach is scalable, less prone to risks, and is a viable way to make money.
As a user, what can you do?
One easy solution would be to use a regex like pattern in your pwd string. E.g. Door%Mat52# ; replace % with G, F, T, L etc. This can reduce the chances of successful credential stuffing attacks on your account.
What is Credential Stuffing — a type of an ATO attack where fraudsters get access to creds of users at one portal either through phishing or some other way and then use the same creds at many other portals. Needless to say, multi-factor authentications make your account even safer.
As an organization, why should you care?
Your users’ accounts, the reputation of the brand, proprietary content and loyalty points can be at risk. You can also face chargebacks if carders use a compromised account to buy goods using a stolen credit card. In case, your website has content behind a paywall; your site is a bullseye for fraudsters.
I have some good news, too. If your website/app has more than a million daily visitors, you can slash down your infra costs by blocking bad bots or by managing(allowing good bots) bot traffic.
However, containing these large-scale distributed bot attacks is a mammoth task. Manual blocking of IPs or user agents and rate-limiting are not only error prone and unscalable, but it can also cause false positives (a type of unforgivable sin, which is blocking real users). Secondly, most of the sophisticated bots go undetected by conventional security measures of WAFs because bots make syntactically legitimate HTTP requests.
What is the solution — Invest in building a bot management solution that uses behavioral modeling, device fingerprinting, machine learning, the wisdom of the crowd and other techniques that can accurately spot automated activities.
To know more about how sophisticated these attacks are, and what it takes to block them, take a look at our recent blog.