By Tin Zaw
You don’t have to be a techie to know that the number of records compromised during mega breaches has risen from hundreds of millions to a billion recently. It is a pretty safe bet that my login credentials – along with my mother-in-law’s, my deceased grandmother’s and yours – are all up for sale somewhere on the dark web.
Before we panic, however, let’s take a look at what happens when a mega breach occurs.
Your login identity – usually your email address – along with your personal data such as your address, date of birth, personal preferences, profile picture, and friend list, makes their way into the wrong hands. Sometimes – that is, if you are really unfortunate – the following could also be compromised:
your login password in human-readable plain text (if you are really, really unfortunate)
your login password in encrypted form
your password reset information, such as your favorite kindergarten teacher’s name
Your credit card information may be stolen too, but we will let banks worry about it – at least for the purposes of focusing on the credential supply chain aspect of this article.
What we security professionals call credentials – that is, your email address and password or password reset information – just don’t stay in the first set of wrong hands that gain access to this information. These credentials could very well find their way onto the black market for digital goods where they would hide inside the deep, dark web, not easily reachable by your favorite search engine. This dark web is where a second pair of wrong hands would buy your credentials, usually exchanging them for cyber currency called Bitcoin, or, perhaps, for some kind of cyber malicious ‘favor’.
When this second pair of wrong hands gets your login credentials, they write a program to try these credentials – yours, mine, our friends’, our relatives’ – checking them at a website to see if some of them pass through. This is almost always a different website than the one these credentials are stolen from. This is very relevant though for, as you know, we all reuse those credentials at different websites. And, after all, we can only have one favorite kindergarten teacher, right?
The OWASP Automated Threat Handbook, which I co-authored, calls this act credential stuffing. In this threat, a programmatic attempt is made to try a long list of stolen credentials at a website with the hope that some will pass through. As we tend to reuse our credentials, some will pass through. At that point, the attacker will have complete control over an account.
But this situation is not completely hopeless. There are some things we as consumers can do ourselves, and other actions we can insist the website operators do on our behalf in order to reduce the negative consequences of mega breaches and credential stuffing.
As a consumer, we can do the following:
- Use a different email provider – or at least a different email account – for your commercial transactions like banking and shopping. Use another for personal communications. Use yet another for your professional communications, such as when you are looking for a job.
- If your email provider allows it, use a slightly different email variant (such as +XYZ at the end of your username) for each store, bank, etc.
- Use a different password for each website. Go ahead, write down those passwords in a little book. Keep that little book under lock and key, just like you do with your valuables. Perhaps even store it in a safe deposit box. Let your browser remember these passwords too (but don’t sync it online).
- Set up what is called two-factor or two-step authentication if the website allows it. In addition to your password, you will have to type in ever-changing digits or approve it on your smartphone. It makes it much more difficult for wrongdoers to cheat.
- That favorite kindergarten teacher? Well, have a fictional one. In fact, create a fictional one for each website (and write it down). The same goes for other password reset questions.
The above actions may seem complicated and cumbersome. But even following some of these recommendations can make your account more secure. Why would you risk it?
Beyond your personal actions, you can also insist on your website owners to protect you against credential stuffing attacks. The OWASP Automated Threat Handbook outlines what are called countermeasures to defend against programmatic attacks, such as Credential Stuffing. Ask your website owner to take a look at the book – it’s free!
Here are some tips and tricks website owners can use to protect their website. Some of this may be geek-speak, but don’t worry, they will understand.
- Rate limit how fast a browser can exercise login and password recovery functions repeatedly. Even if that rate is based on IP addresses (the least accurate way to identify a browser), the countermeasure will slow down these attacks.
- Identify the browser – the user agent, technically speaking – more accurately by using other information such as HTTP headers. Apply this information to limit excessive attempts.
- Fingerprint the browser using a number of techniques, including open source methods, to identify it better and to block excessive attempts from a single device.
- Instrument web applications from their inception so that they can detect the attack and self-defend against it.
- Get help from a technology provider if one cannot do it alone.
Credential stuffing threats not only affect us individually but they affect the web ecosystem. However, we all can do our part on both sides of the ether to help reduce their impact.
About Tin Zaw
Tin Zaw has served as Verizon Digital Media Services’ director of global security solutions since 2015. He and his team provide managed and professional web security services for clients' web properties. He launched the services during his first year at Verizon and continues to grow the operations each year.