The Matrix

Although most login attempts in a credential stuffing attack are unsuccessful, a single attack can still yield thousands of compromised accounts due to the sheer volume of attempts, often due to the utilization of software to transmit hundreds of login attempts simultaneously without human intervention.  If successful in accessing accounts, threat actors can monetize the compromised accounts in a variety of ways, including by: (1) making fraudulent purchases using credit cards saved on the account, (2) using customer data stolen from the account in a phishing attack, or (3) selling the credentials on the dark web.

The NYAG’s guide offers businesses a variety of suggestions to help prevent and mitigate credential stuffing, including:

• utilizing software specifically designed to identify and block bot-generated Internet traffic (often known as bot detection systems);
• requiring multi-factor authentication, or another method for authenticating users that does not rely on a password, for user log on;
• requiring customer re-authentication at the time of purchase;
• monitoring customer behavior to identify and block aberrations, such as by noting spikes in traffic volume or failed login attempts;
• implementing a web application firewall for rate limiting, HTTP request analysis, and IP address blacklisting;
• preventing customers from utilizing credentials that have already been detected in known data breaches;
• monitoring customer reports of fraud;
• notifying customers of unusual or significant account activity;
• using a third-party service to identify suspicious or fraudulent transactions; and
• developing policies that anticipate social engineering attacks and training relevant personnel on those policies.