Today, we are focusing on credential stuffing attacks; what they are, how they are achieved, and most importantly, how to mitigate and protect your data. Although this article describes security for the Azure AD B2C service, mitigation actions should work for most cloud-based systems.
What is Credential Stuffing? Credential stuffing is an attack where the hacker successfully procures a list of user account credentials, consisting of usernames, and/or email aliases and their corresponding passwords, and then tests these account credentials against other sites until they are potentially matched. These lists are usually purchased through the dark web, are quite easy to obtain, and can contain vast numbers of users’ account data. Credential Stuffing often targets the retail and gaming industries and is in the top-10 list of OWASP Automated Threats. What makes this attack so popular, is that account credential lists are readily available and are powerful because of users’ tendencies to reuse credentials across multiple sites.
These days, most organizations require a strong password and no longer allow simple strings like ‘12345’ or the word ‘password.’ While it’s good to know security access levels have improved, it results in millions of people using the same password to access every account, without changing it, unless required. Once a single data breach occurs, that user’s credentials are compromised across several other accounts that they have with other organizations.
Attackers can use bots and credential stuffing tools that assimilate proxy lists and make access attempts appear to be from many IP addresses in different locations. Attacks occur from data breaches, paste-bin dumps, or are bought on the dark web. These attacks can be hard to identify as individual accounts are not being attacked with multiple login attempts.
These hackers have only about a 0.1 to 2% success rate when performing these data attacks. That percentage seems low, as they need millions of credential stuffing pairs to make it worth their effort, and even when they get this data, they must take additional risks to make money. However, once achieved, attackers may steal additional data, perform ID fraud, extort your data for ransom, or sell your data to the dark web. Any of these outcomes could have long-term, devastating effects for the user whose account was compromised.
What are the best mitigation methods? How can we prevent credential stuffing and other front-door attacks? Individuals can use good security practices, such as strong passwords, and enrolling for multifactor authentication (MFA). An excellent practice for individuals is to use a password manager like Last Pass or Dashlane that generates random passwords for the sites they use.
As a company implementing an IAM solution, it is essential to have a plan for mitigating hard-to-discover attacks like credential stuffing. Keep in mind that while you must enforce security measures, there’s careful consideration that needs to go into providing a highly secure authentication mechanism, while ensuring that the friction of logging into your app does not result in customers just dropping off and not completing a registration or sign-in.
While deploying Azure AD B2C, here are some of the more effective credential stuffing mitigations we’ve used:
- MFA: Multifactor authentication is an excellent defense against these attacks. Aside from your password, you are requested to perform a second validation method, which could be via a text, email, thumbprint scan, voice, or facial recognition. Security experts say MFA has stopped 99% of data compromises and should be implemented whenever possible. B2C has recently added support for a wide variety of identity verifiers (including WhoIAM’s BRIMS platform!). In all our deployments, we’ve come to the realization that there isn’t a one-size-fits-all recommendation for the right choice of MFA. It’s a better idea to find an authentication factor that is most suited to the scenario in which your user is logging in. For instance, if your user is accessing your app or website using a smartphone, an on-device biometric option or authenticator app would work well. If their primary phone is a less sophisticated ‘candy bar’ phone or a shared device, you might choose to send an SMS, or use speaker/voice recognition
- Allow and Ban Lists: As the app owner, you likely have enough domain knowledge to be able to define specific rules that are tailored to your users. For instance, you may know that your service is only available to a set of users that register with a specific email domain. Alternatively, you’ve been able to correlate a high volume of fake accounts being generated by users using profanity in their login identifier or name fields. You can deploy off-the-shelf rule engines such as Dynamics 365’s Fraud Protection platform to build out and enforce custom allow and ban lists. .
- CAPTCHA – CAPTCHA technologies have come a long way in the last several years. These tools do a good job of distinguishing human interactions from those of automated actions using many signals including the user’s typing speed, mouse movement patterns, and swipe gestures. We’ve found Google’s RECAPTCHA v3 particularly effective as it provides silent or non-interactive bot/human assessments back to Azure AD B2C. However, using at as your sole identity protection strategy is not ideal as the service is billed on a per-assessment basis, and doesn’t guard against DDOS attack
- WAF – A web application firewall (WAF), protects your apps from common web exploits and vulnerabilities that could affect application availability, compromise security, or consume excessive resources. A typical WAF deployment alongside Azure AD B2C involves sending all authentication traffic coming to your website through the WAF and having the B2C endpoints only respond to IP addresses that originate from the WAF that’s being used. WAFs are typically capable of BOT recognition and are an effective mitigation strategy against credential stuffing as well as DDOS attacks by only letting legitimate traffic through to your downstream endpoints. The downside to deploying a WAF is that they tend to be expensive. Currently, you will also need to work with Microsoft to ensure traffic to your B2C tenant from all sources except the WAF is blocked.
- Go Password-less: We’ve left arguably the most effective mitigation for last in part because a large number of our customers realize the benefits of going password-less, but are hesitant to make a clean break over to such a construct especially when they’re bringing in a big userbase that needs to be migrated to B2C without re-enrollment. However, if your app or business can provide a no-password approach to logging in, that immediately mitigates a slew of attack vectors. Consider replacing passwords with an on-device biometric feature such as a thumbprint or facial recognition, or by using an authenticator app or even a hardware token. This is popular as it reduces phishing risks and delivers a better user experience by providing a convenient way to access data.
In summary, it’s important to consider the types of attacks that your particular solution may be prone to, and plan out appropriate mitigation solutions. If you want to provide feedback or have thoughts about a future IAM topic you would like us to discuss, please contact us via our WhoIAM portal.