How to Block Credential Stuffing Attacks
When careless users continue to re-use passwords across multiple accounts, hackers leverage automated tools and a plethora of breached credentials to execute credential stuffing attacks. Block credential stuffing low-hanging fruit is a lucrative attack vector for cybercriminals that can lead to major data breaches and devastating financial consequences.
Which of the following can prevent credential stuffing attacks?
Unlike brute force attacks, which try all possible combinations of characters, numbers and symbols over and over, hackers can use pre-cracked hashed passwords from previous breaches. These “combo lists” of usernames and passwords are easy to obtain through an entire underground economy that offers stolen credentials for sale along with specialized tools. Coupled with innovations like headless browsers that allow attackers to access web pages without a user interface, this allows hackers to iterate through these lists of compromised login information much faster than human users.
Blocking re-used login credentials and requiring two-factor authentication (2FA or MFA) are the best ways to thwart these types of attacks. But even these measures can be bypassed by sophisticated bots that can easily circumvent these security layers. That’s why companies should look to a solution that combines multi-factor authentication with other cybersecurity measures, such as device fingerprinting to detect suspicious login behavior. This approach creates a unique fingerprint for each login session through information such as language, OS, browser, time zone and more. If the same fingerprint is used several times in a row, it’s likely an attack. This can then trigger IP blocking, temporary bans and more to ward off the attack.
…