Raise your hand if your login credentials have been stolen at some point in your internet life. I’m looking at you, EVERYBODY! 2.3 Billion credentials were stolen in 2017 alone, so if you’re on the internet, someone-somewhere has your credentials and has probably tried to use them somewhere. Nowadays, 80% – 90% of login traffic world-wide is solely from what are called, Credential Stuffing attacks. HSBC and Dunkin’ Donuts are just a couple of the more recent high-profile victims of this kind of brute-force attack. So what in the world is Credential Stuffing, and how can we protect our applications from it?
Credential Stuffing is a special kind of brute-force attack. Instead of spamming a login page with random passwords over and over again, the attackers use a script with a list of real-stolen credentials. They attempt to use every stolen username/password they have, on your login page. Somewhere around 70% of internet users use the same username and password for all their website logins. The idea is, if you can steal real credentials from an easy target (web forum, etc.), you might be able to use those credentials to log into something more important. Or should I say, more profitable. US banking loses about $4.6 million a day to credential stuffing, while the retail industry loses a whopping $16.5 million a day.
Blocking Credential Stuffing
Security > Application Security > Anomaly Detection > Brute Force Attack Prevention > Create
Don’t forget to apply the policy when you’re done.
Security > Event Logs > Application > Brute Force Attacks
In the Access Policy Manager (APM), you can also configure the use of multi-factor and federation-based authentication for your applications.
You can’t control your users’ password discipline, but you can prevent their lack of discipline from compromising your apps.