How to Defend Against Credential Stuffing
Credential stuffing can be thwarted when the right practices and tools are in place:
Implement Behavioral Analytics
Credential stuffing can be more easily and quickly detected if an organization is able to establish baselines of typical user behavior and traffic patterns. API security offerings like the Salt Security API Protection Platform can automatically create and maintain baselines of typical behavior and identify any activity that deviates from the baseline, including the abnormal movement of data and the attempted manipulation of tokens, user IDs, or API parameters.
Avoid Using Email Addresses as User IDs
Credential stuffing relies on users leveraging the same usernames or account IDs across services. The risk runs higher when the ID is an email address since it is easily obtained or guessed by attackers. Requiring unique usernames can mitigate some of the risk of credential stuffing attacks and potentially exposing users to ATO.
Use Multi-Factor Authentication (MFA)
Credential stuffing relies on automation scripts and tools that cannot easily provide additional factors of authentication, particularly mobile phone authenticator tokens or 2FA tokens sent through alternate channels such as email or SMS. Requiring users to authenticate with additional authentication factors helps mitigate against credential stuffing attacks. Note that attackers can and will also target MFA mechanisms, and organizations must also protect any MFA mechanisms from brute force attacks.
Additional industry guidance suggests the following less-effective defenses against credential stuffing. We mention them here to give the reader a full picture of protection options and to point out potential downsides of these practices.
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) can reduce the effectiveness of credential stuffing attacks by challenging users to prove that they are human with tasks that are easy for humans but more difficult for computers, such as identifying specific objects in a set of images or recognizing distorted letters. CAPTCHA is easily added to an app or site, but it is just as easily bypassed by hackers using headless browsers or CAPTCHA solving services. The negative interruptive user experience is not commensurate with the amount of security CAPTCHA delivers.
Deploy Device Fingerprinting and User Profiling
Device fingerprinting combines certain attributes of a device to identify it as unique, including operating system, type and version of web browser, language settings, and IP address. Additional user profiling techniques will track how individuals use the devices and the applications on that device, such as where they touch the screen or how fast they move a mouse cursor. When using device fingerprinting as a defense against credential stuffing, one assumes that a device recognized as having certain attributes on one day is the same device seen with those same attributes on another day. If the same combination of parameters logs in several times in sequence, it may point to a credential stuffing attack. The downsides of fingerprinting and profiling include that they require client-side code, which can be reverse engineered and bypassed, and these protections simply don’t work in machine-to-machine or direct API communications.
Implement IP Address Deny lists
Attackers may be working from a limited pool of IP addresses, so recognizing and blocking IPs that attempt to log into multiple accounts can provide some defense against credential stuffing. But recognizing a malicious IP address is not that simple. A hidden link analysis report from Recorded Future suggests that 92% of suspicious IPs are not blacklisted, often because rate limits can be difficult to operationalize across infrastructure. These lists are often not well maintained, and attackers will cycle through IP addresses. Cheap and plentiful cloud computing resources also worsens matters. Attackers will spin up new instances of machines or use serverless compute to perpetuate their credential stuffing attacks, raising the difficulty bar substantially for security teams trying to maintain deny lists.
Rate-Limit Non-Residential Traffic Sources
Attackers may originate attacks from other countries where your organization doesn’t typically do business. Countries such as China, North Korea, or Russia can rank high on the list of concerns for security teams since they are sometimes home to malicious threat actors. You may opt to implement more restrictive rate limits for the IP address ranges of those regions to help mitigate some of the risk of credential stuffing, but most attackers will likely shift to other less restricted IP address space by leveraging other data centers and cloud providers. If you are a global business, applying regional rate limits may also impact legitimate users and have negative impact to the business.
Block Headless Browsers
Stop Credential Stuffing Attacks in their Tracks
Stopping credential stuffing attacks without negatively impacting user experience or deploying client-side code controls that are able to be bypassed means you need to start with the ability to analyze as much data as possible to understand normal behavior, identify the outliers, and put together the pieces to form a bigger picture.
Credential stuffing attacks can “hide in plain sight,” evading existing security measures, especially with services that regularly get massive traffic flows. You need to baseline and analyze traffic to identify anomalies. Beyond that, you also need a solution that can differentiate between user mistakes or behavior that changes in response to a changed API and. malicious activity, such as an attacker probing an API and manipulating API logic.
Salt Security’s API Protection Platform correlates disparate data to analyze behaviors of users and machines as they interact with APIs. After collecting a copy of all an organization’s APIs and pulling it into its big data engine, the Salt platform then uses ML and AI to create a baseline of normal behavior so it can identify anomalies. With this context, Salt accurately distinguishes malicious attacker activity and stops attackers before they’re able to compromise accounts.
Alerts from the Salt Security API Protection Platform contain the crucial context that incident response teams need to understand and respond quickly and effectively to credential stuffing attacks. Our platform provides full timelines of attacker activity, so teams gain insight into what the attacker did and how the application responded. Teams have no need to correlate relevant attack information manually – the platform provides this correlation automatically.
The context that the Salt Security API Protection Platform provides is also essential to helping development teams eliminate vulnerabilities quickly and continuously improve API security posture. A form of feedback loop often promoted as part of DevOps practices, remediation insights within the Salt platform contain details on the location of a vulnerability and what normal activity looks like for that API. The insights also include recommendations on how developers can tackle misconfigurations, close security gaps, and otherwise improve security posture. And Salt delivers these insights in the platforms developer teams are already using, such as Jira and Slack.
Would you like to see how to defend against credential stuffing in your network? Request a personalized demo to see how Salt can help you defend against credential stuffing attacks and how to improve your API security posture.