Workout a mechanism to instantly verify subscriber logins and signups against billions of already leaded user credentials from 3rd party data breaches. Ensure rapid risk decisions can be made, writes Ai’s Ritesh Gupta
21st June, 2021
One of the most common methods attackers deploy for account takeover (ATO) is credential stuffing.
In a webinar conducted by LSA last week, a poll indicated that 64% of participants consider credential stuffing to be a “growing problem”, followed by 28% not being sure of how it impacts their business.
Digital risk monitory company Threat Status pointed out that credential stuffing attacks are effective at taking over user accounts because users tend to opt for feeble security choices when they choose their password. Also, when a 3rd party application gets breached and its data is stolen, it could have usernames and passwords in it that work on your application too!
Karisse Hendrick, CEO, Chargelytics Consulting, who presented during #ATPS Fraud Virtual Conference last month, explained why the travel sector must keep a tab on ATO.
“Vouchers for cancelled flights due to the Covid19 pandemic means not-so-buried treasure in your customer accounts for fraudsters,” said Karisse. Referring to how fraud landscape has evolved in the last year and half or so, she said carding is harder (improved fraud detection for carding makes ATOs more attractive). The issue of passwords not being distinctive (with more than 80% of users opting for same password for multiple accounts) remains a big problem. Karisse also pointed out that collaboration and coordination is “easier than ever for fraudsters”. Merchants need to be wary of accounting harvesting – phishing, social engineering and the dark web (marketplaces, fraud forums) and advance threats like brute force attack, credential stuffing, bots and remote access tools.
How credential stuffing works
Threat Status’ Jon Inns explained how credential stuffing works. Generally the stolen credentials are used to gain unauthorized access to user accounts through large-scale automated login requests against a web application. Botnets are used to automate the validation of credentials against a company’s application login.
Inns highlighted that it is imperative for companies to work on real-time vulnerable credential checking services.
He stated that the company has worked out a mechanism to evaluate whether a particular username and password combination input by customers are leaked on criminal forums or not. “By comparing it with the information already in Arc (credential stuffing protection offering), a merchant gets to know whether an account is vulnerable and accordingly protect the customer account (for instance, their loyalty currency),” said Inns.
Interestingly when a compromised pair is identified, a “hash” is created and then encrypted using homomorphic cryptography!
Key points:
- Workout a mechanism to instantly verify subscriber logins and signups against billions of already leaded user credentials from 3rd party data breaches. Ensure rapid risk decisions can be made.
- Enhance B2C authentication security of applications with zero additional user friction.
- No requirement for subscribers to interact with SMS or 2FA tokens, which result in user drop off or additional costs to deploy.
Ai’s upcoming events: https://www.aiconnects.us/events/upcoming-events/
