Hikvision Cybersecurity Director on How Attackers Access Your Accounts Using Credential Stuffing, and Three Tips to Address this Security Concern
Our previous Hikvision blog discussed using multi-factor authentication (MFA) to reduce security concerns and outlined a number of tips to implement MFA for better cybersecurity.
An excerpt from that blog: “MFA adds two or more pieces of verifiable evidence or factors to the authentication process to greatly reduce security concerns by lowering the chances of an account being accessed by the wrong person. Two-factor authentication (2FA) is a subset of MFA and is a means of authenticating with just two pieces of verifiable evidence or factors. A good real-world example of 2FA is using an ATM. You use something you have, the ATM card, and something you know, your pin number.”
In this blog, we’ll discuss credential stuffing—what it is and how to avoid being a victim of it.
What is Credential Stuffing?
Almost every day we see headlines about some sort of data security breach. The public is now almost numb to this news and the reaction by the end users whose credentials were lost is typically to reset their password and move on.
This is likely not good enough for most people because, according to a January 2019 study by Yubico and Ponemon, 51 percent of the respondents reuse their passwords across multiple accounts.
So why is it bad to reuse passwords across multiple accounts? Because bad guys will take that long list of usernames and passwords from data security breaches, and use them in an attack called credential stuffing. I know, this sounds like a bad Thanksgiving side dish full of conference badges … it’s worse!
Credential stuffing is when an attacker takes a long list of usernames and passwords and, using an automated script, tries each pair on many popular websites. Those sites could be business or email related, like Google, Apple, and Microsoft. They could be social media accounts like Facebook, LinkedIn, and Instagram, shopping accounts like Amazon or any other popular sites, like banks and payment tools such as Venmo.
Three Tips from Hikvision to Prevent Credential Stuffing
Once the automated script is successful at logging into a site, that username and password pair is saved for later review and use by the attacker against other sites. So let’s walk through an example. Let’s assume that Bob reuses passwords across many of his accounts. He has a password for work accounts and a separate one for social media accounts. After the LinkedIn security breach a few years ago, Bob’s username and password were made public when miscreants posted the list of breached account credentials to the Internet.
A threat actor, named Mary, decided to take that list and run it through her credential stuffing script. Once the script completed its test, Mary found out that Bob had reset his LinkedIn password, as instructed, but was still using the same password for Facebook and Twitter. Since Bob isn’t using multi-factor authentication on those sites, Mary was able to successfully log into and take over, or even just watch, Bob’s social media accounts.
This is a common attack method and underscores the need for everyone to follow good cybersecurity practices. Below are three ways to avoid being in Bob’s position:
- Use a unique password for every account. You will likely need a password manager to achieve this.
- Use “good” passwords for each account. This can also be achieved with a password manager.
- Use multi-factor authentication anywhere and everywhere you can.
By following these three tips, you will reduce the likelihood of becoming an easy target of credential stuffing attacks.
For additional Hikvision cybersecurity insights and tips to address security concerns, visit this link.