We’ve almost come to expect it: which major corporation will be compromised this month, this week? An airline, a retailer, a web service provider, all hacked by who we imagine are dark hooded figures crouched behind a computer screen. We’ve almost come to expect it, but our sense of security is still shaken a little more every time. With these breaches comes another imminent threat that goes beyond the single account that has been compromised: credential stuffing. Information gleaned from a single hack can act as a master key for cybercriminals if you’re using the same password for multiple sites.
What we know about credential stuffing
Bots now comprise 52% of today’s Internet traffic and with the ability to use multiple IP addresses and anonymous proxies these attacks are more sophisticated and therefore more pervasive
According to a recent report by Shape Security, 3.3 billion credentials were stolen through database breaches, malware injections, and successful phishing attempts in 2016 alone. 51 corporations fell victim to 52 credential spills, with Yahoo! suffering 2 separate attacks, and it’s getting worse. Credential stuffing, also known as password stuffing, is when hackers use the login credentials they’ve obtained on other websites to gain access to credit cards, banking or other sensitive information. The issue is so rampant that Shape Security reports that 9 out of 10 login attempts are not the person the account belongs to.
This isn’t a new problem, but rather an evolving one. With new technology hackers are able to use automated means (i.e. bots) to test thousands of accounts and passwords faster than ever before. Bots now comprise 52% of today’s Internet traffic, and with the ability to use multiple IP addresses and anonymous proxies these attacks are more sophisticated and therefore more pervasive.
Although credential stuffing isn’t a new issue, it seems we only talk about it whenever we hear about the latest breach. Mike Lynch, Chief Strategy Officer of InAuth, a digital device intelligence and security company, explains why that is. “There are a few possible reasons as to why we don’t hear about it: companies that have noticed an unsuccessful attack on their system might not want to alarm their customers, or it goes on for years, like in the case of Yahoo!, and it takes some time for the organization to get the full report of what happened,” he says.
Will credential stuffing bring an end of an era?
What does this mean for the future of the password? While technology has evolved somewhat to meet these needs, such as using your fingerprint to unlock your phone, we still have a ways to go. “If our phones have a built in retina scanner plus your fingerprint, now we have two-factor biometric authentication and don’t need the weaker verification of credentials,” says Lynch.
Some have voiced concerns though: what if hackers get a hold of unchangeable biometric identities? “Fingerprints, and other biometric identifiers, don’t get passed if the program has the right architecture. The result of the biometric is passed, but not the actual biometric information itself,” Lynch states. So while it appears that a layered system of security is the future, the general population may not be quite ready to make the switch as people still seem to value convenience over security. So don’t expect the password to go extinct just yet.
In the mean time, make sure to use a different, complex password for all your accounts, and change them regularly. Dictionary words, significant dates, and the like have no place in your passwords. If the idea of keeping a Rolodex or notebook of passwords seems like a hassle, there is now software that can record your passwords for you, so you only have to memorize one master password. Beware of emails asking for more information and never click on the links they provide, even if they appear to be from a legitimate source.
“It’s not all up to consumers,” Lynch notes, “Organizations need to be adopting biometrics for security and use tools to detect bots and malware.” Continuing to educate the public about risks is the most effective form of protection, advises Lynch, while we wait for biometrics to become the new password.