Kasada was recently in the news after identifying a credential stuffing campaign targeting Australian retail, fast food, and entertainment outlets. The discourse around this type of reporting – and responses from affected companies – usually contain the same few statements: “A small number of accounts were affected” and “Customers should ensure they do not reuse passwords across multiple sites.” This shifting of risk to affected customers, regardless of the number of accounts impacted, highlights a tension within cybersecurity, that of balancing security and usability.
Why credential stuffing still occurs
Security is a team sport. When everyone plays their part, we raise the effort required for a criminal group to successfully bypass security controls. Credential stuffing and account takeover attacks are often the visible effects of someone not playing at the top of the game.
Companies must ensure they provide the best possible defense for their users. They can do this by reducing their attack surface, lowering the value of stolen credentials, and ensuring adequate detection and mitigation. For credential stuffing and account takeover, having a highly agile, effective anti-bot solution like Kasada ensures that your customer accounts are protected. This has the added benefit of reducing load on your site, cleaning up your web traffic metrics, and significantly decreasing infrastructure, operations, and downstream fraud costs – all while maintaining your brand reputation and customer loyalty.
Businesses with an online presence are really up against it. Building this presence, choosing the right eCommerce platform, attracting customers to your site, and then getting those customers to commit to the purchase takes a lot of effort. Getting a user to add an item to their cart is really only the beginning of making that sale. Every extra step you make this customer go through gives them another chance to leave that sales flow and abandon their cart.
Online retailers want to make this process as frictionless as possible and give the user a great experience. It’s inconvenient for a user to have to get off the couch, find their credit card, enter the details, and then complete the transaction. Retailers want customers to create an account, provide their data, and store card details for next time to reduce that friction. This is a great user experience and may mean repeat business from that customer.
This frictionless experience extends to the user. A user may not want to create an account, but they will if motivated to make the purchase. When they make this new account, they do not want to have to remember a new email/password combination. A new credential set for every single site they make a purchase on – who has time for that? Keep it all the same – that way, you only need to remember one thing.
This is where the tension is and is how we end up with credential stuffing and account takeover attacks. Credential stuffing occurs when a cybercriminal uses stolen username and password combinations to attempt to fraudulently log into a user’s account on another third-party service. These stolen credentials are typically obtained through data breaches and sold to other attackers.
When an organized credential stuffing or account takeover campaign – such as the one identified by Kasada – is successful, users complain about not being protected, while affected businesses contend the users were not practicing good cyber hygiene. Both of these statements can be true. What is missed here is a holistic approach to security.
So, how can we all do our part?
Businesses need to implement good quality anti-bot protections on endpoints that could be a target for malicious actors. Login and account sign-up flows can be used by threat actors to conduct credential stuffing campaigns or to create new accounts for use in fraudulent activities (see our latest Quarterly Threat Report). Businesses must identify and mitigate automated attacks against their login endpoints and make business logic decisions that disincentive attackers from targeting them. This might be the addition of multi-factor authentication or handing the payment off to a secondary provider – but this adds cost, complexity, and friction to the system.
Users are not off the hook, though. There are password managers that allow users to create a unique password for each site they visit and are cross-platform. This allows users to access their passwords across multiple devices while only needing to remember a single master password. There are risks with centralizing these credentials in that you trust a third-party provider to store this data securely. There are other tricks users can use in combination, which make it hard for an attacker to access your account.
Gmail and some other webmail providers, including ProtonMail, allow the use of “dot tricks.” If a user registers with an account on Gmail such as “example@gmail.com,” the user can insert non-consecutive periods, or dots, into the address to create a unique address on the site but still have it routed to Gmail. The examples below will all route to the original email address.
- example@gmail.com
- exa.mp.le@gmail.com
- e.x.a.m.p.l.e@gmail.com
A user can also use an alias at the end of the address, like example+kasada@gmail.com. Mixing these two techniques means a user could have a unique email address for each site they visit – but would require the use of a password manager to remember each credential combination. This adds significant overhead for a user, adding complexity that most will not adopt.
Shifting from reactive to proactive security
Security is a reactive industry that regularly provides good, solid advice well after an incident occurs. But what if we could predict security threats before they occur? That’s where our new service, KasadaIQ for Fraud, comes in. It proactively anticipates and prevents account takeover attacks and various types of fraud before they have a chance to affect your brand or customer data. Learn more about KasadaIQ and check for any early warning signs of ATO or fraud for your company.
