Category: Credential Stuffing

23andMe, the California-based company which sells DNA testing kits to help people learn about their ancestry and potential health risks, is facing scrutiny from British and Canadian data protection authorities following a security breach that saw hackers compromise the personal data of nearly seven million users. Read more in my article on the Hot for Security blog.

Protecting against credential stuffing attacks requires a multi-layered approach to security. Here are some effective strategies to defend against such threats:

Implement Multi-Factor Authentication (MFA): Require users to provide additional forms of authentication, such as a one-time code sent to their mobile device or a biometric scan, in addition to their username and password. This adds an extra layer of security, making it more difficult for attackers to gain unauthorized access.

Enforce Strong Password Policies: Encourage users to create complex passwords that include a combination of letters, numbers, and special characters. Additionally, consider implementing password expiration policies and preventing the reuse of old passwords.

Monitor and Analyze User Behavior: Utilize behavior analytics tools to monitor user activity and identify suspicious login attempts. By analyzing patterns and deviations from normal behavior, you can quickly detect and respond to potential credential stuffing attacks.

Rate Limit Login Attempts: Implement rate limiting measures to restrict the number of login attempts from a single IP address within a certain time frame. This can help deter automated attacks by making it more difficult for attackers to brute-force login credentials.

Deploy CAPTCHA or Bot Detection: Incorporate CAPTCHA challenges or bot detection mechanisms into your login process to differentiate between legitimate users and automated bots. This can help prevent attackers from using automated scripts to conduct credential stuffing attacks.

Regularly Update and Patch Systems: Keep your software, applications, and web servers up-to-date with the latest security patches and updates. Vulnerabilities in outdated software can be exploited by attackers to gain unauthorized access to user accounts.

Educate Users About Phishing: Raise awareness among users about the dangers of phishing attacks and how to identify suspicious emails or websites. Encourage them to exercise caution when clicking on links or providing personal information online.

Utilize Web Application Firewalls (WAF): Implement a WAF to filter and monitor incoming web traffic, detecting and blocking malicious requests associated with credential stuffing attacks. WAFs can help mitigate the impact of such attacks by blocking suspicious IP addresses or patterns of activity.

By adopting these proactive measures and staying vigilant, organizations can significantly reduce the risk of falling victim to credential stuffing attacks and safeguard their users’ accounts and sensitive information.

The post How to defend against credential stuffing attacks appeared first on Cybersecurity Insiders.

Carole's in her sick bed, which leaves Graham in charge of the good ship "Smashing Security" as it navigates the choppy seas of credential stuffing and avoids the swirling waters of apps being sloppy with sensitive information. Find out more in this latest edition of the "Smashing Security" podcast, hosted by Graham Cluley with special guest BJ Mendelson.

FBI has issued a warning that cybercriminals are hiding credentials on home IP addresses after hacking connected devices like IP cams and routers. To those unaware of the credential stuffing concept, here’s a gist. As soon as a cyber attack takes place and hackers gain access to loads of info, such as passwords and usernames, they sell them to other cyber crooks who then use such credentials to take over online accounts.

The law enforcement agency of the United States, along with the Australian Federal Police, exposed a cyber syndicate that was hosting two websites on which about 300,000 account credentials were being sold for a hefty price.

To avoid such troubles with passwords, tech companies are coming up with ways to avoid passwords such as 2FA, thus paving the way for password-less authentication environments.

But the adoption of such tactics is still in a nascent stage and can take years for companies to say a permanent goodbye to passwords. And unless business firms come up with foolproof tactics inducted into their products and services, home users will remain exposed to such cyber attacks.

Is it really possible in practical?

Mostly, organizations do not monitor how their users are using the passwords and whether they are following a basic principle while creating such stuff. Password reuse is also giving headaches to organizations, as most non-IT workers are following this trend and thus paving the way to 30% success to credential stuffing attacks, as they are synced or saved on the browser for further use and will thereafter pave way for easy account takeovers with not much effort and investment.

Hence, it becomes tedious for companies and individuals to brace the cyber attacks launched on home IP addresses. A collective approach where companies end the concept of passwords and users rely on authentication methods such as 2FA or bio-metrics might help… isn’t it?

NOTE- As per a report released by Akamai, the year 2020 alone witnessed about 193 billion credentials stuffing attempts, as lockdowns started the WFH culture, paving the way for the launch of more such attacks.

 

The post Credential stuffing cyber attacks targeting home IP addresses appeared first on Cybersecurity Insiders.