Cybercriminals use stolen login credentials, which they acquire from data breaches and leaked databases available on the dark web, to repeatedly try and gain access to websites. Since passwords are often re-used across accounts, the success rate of this type of attack is high, especially when paired with automated bots that can test username and password combinations at staggering velocities.
What is the defense against credential stuffing?
The problem with this is that the attacks are not only extremely expensive for sites, but stop credential stuffing can also damage brand reputation. Major data breaches make the news and, despite the old adage that any press is good press, they do not reflect well on brands. In addition, fines imposed on victims can be crippling and threaten the long-term viability of an enterprise.
Luckily, there are ways to mitigate this risk. One of the most important is to ensure that multi-factor authentication (MFA) is in place. This prevents the attacker from exploiting stolen login credentials by requiring that users authenticate with a secondary verification method. This can be as simple as a text message or a dedicated mobile app.
Other methods include implementing CAPTCHA and requiring that users create their own usernames for accounts, as this will make it harder for cybercriminals to enumerate valid usernames to attempt credential stuffing attacks. Device fingerprinting, which recognizes technical markers such as screen resolution and plugins, can also help to detect malicious activity. Finally, a solution such as MatchKey, which requires visitors to solve dynamic challenges in order to prove they are human, can significantly decrease the success rates of these types of attacks.