A MoFo Privacy Minute Q&A: How to Defend, Detect, Prevent, and Respond to Credential Stuffing - February 2, 2022

This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.

Question: Preventing, detecting, and responding to credential-stuffing attacks has always been a challenge for my company, and every company, since the credentials are not actually stolen from us. Yet our customers are still harmed if the credentials are used to access their accounts with us. What measures can companies use to address credential-stuffing attacks?

Answer: Why not learn what tactics are working best for other companies, and at the same time take the measures that regulators have told us that they expect from businesses? Conveniently, the Office of the New York Attorney General (NYAG) recently asked 17 companies how they are preventing, detecting, and responding to credential-stuffing attacks, and published a Business Guide based on what it learned from those companies.

Credential stuffing is a type of cyberattack that involves automated attempts to log into online accounts using usernames and passwords stolen from other online services, exploiting people’s tendency to reuse passwords across multiple online services. A successful credential-stuffing attack may allow attackers to make fraudulent purchases using payment methods, points, or coupons saved in customer accounts, use customer data to conduct phishing attacks, or sell customer credentials on the dark web.

According to the NYAG, more than 15 billion stolen credentials are circulating on the Internet, which has fueled a significant rise in credential-stuffing attacks. Credential-stuffing attacks are so common that they have become virtually unavoidable for many businesses. The Business Guide outlines four areas for companies to focus on when safeguarding their business against credential-stuffing attacks:

• Defending Against Credential-Stuffing Attacks: The Business Guide highlights bot detection, multifactor authentication, and passwordless authentication to thwart credential stuffing. Bot detection software is designed to identify and block bot-generated Internet traffic and can distinguish between human and bot traffic even when bot traffic has been disguised. This is a highly effective method to defend against credential-stuffing attacks by blocking unauthorized login attempts. Multifactor and passwordless authentication methods are also effective safeguards, as they require an alternate set of credentials to log into an account. Most attackers with access to a stolen password do not have access to other credential types or authentication factors (i.e., an authenticator app or one-time code sent via text or email).
• Detecting a Credential-Stuffing Attack: According to the Business Guide, monitoring customer activity is the most effective way to detect credential stuffing. Most credential-stuffing attacks can be identified through an analysis of a business’s customer activity that can identify the telltale signs of credential-stuffing attacks, such as spikes in site traffic or an unusual number of failed login attempts. The Business Guide recommends systematically monitoring customer traffic, which may involve automated, around-the-clock surveillance, third-party bot detection services, and tools such Web Application Firewalls that assist with reviewing customer traffic.
• Preventing Fraud and Misuse of Customer Information: To prevent the fraudulent use of customers’ stored payment information, the Business Guide suggests that businesses require re-authentication at the time of purchase for every payment method accepted, including credit cards, gift cards, store credit, and loyalty points, when triggering events for re-authentication occur, such as when an order is placed to be shipped to a new address or picked up at a new store location.
• Responding to a Credential-Stuffing Incident: According to the Business Guide, every business should have a written incident response plan with a process for responding to credential stuffing, such as investigation, remediation, and notice. If it has reason to believe that customer accounts have been targeted, a business should conduct a timely investigation and determine if and how its authorization system was circumvented. If customer accounts have been accessed without authorization, a business should remediate by blocking the attacker’s access, resetting credentials or freezing the accounts, and closing gaps in existing safeguards to prevent continued exploitation. Finally, according to the Business Guide, businesses should clearly and accurately convey material information concerning the attack to each impacted customer through an individualized notice so that customers may take steps to protect themselves (i.e., review online and financial accounts for fraud and secure other accounts that use the same compromised credentials). In some cases, breach notification laws might apply, requiring statutory notices to be sent to account holders or regulators.

The effectiveness of the safeguards identified in the Business Guide will likely change over time as attackers adopt new tactics. As credential-stuffing attacks become more common, businesses will need to regularly evaluate the effectiveness of existing safeguards and implement new ones as appropriate.