I have a love/hate relationship with “credential stuffing”

It's not descriptive enough to be intuitive & it's not scary enough to evoke concern.

So what is credential stuffing and why is it a bigger deal than you think? (a rare thread)

Credential stuffing is the replay of usernames and passwords across sites to find accounts that reused passwords.

“Meh” right?

That’s the other problem. It’s easy to underestimate because it sounds simple.

Let’s start with the credentials.

How can I get your passwords?

I get them from credential spills. Some company is breached and loses a user database w/ weak password hashes

Credential spills happen allthetime

Then they get spread on forums and chat

Plug: I contributed to the 2018 credential spill report https://info.shapesecurity.com/rs/935-ZAM-778/images/Shape_Credential_Spill_Report_2018.pdf

You hear about big company credential spills because they’re newsworthy. You don’t hear about the thousands of other breaches.

Security incidents on kittens-dressed-as-people fan sites don’t drive clicks.

Go figure

Smaller sites are breached almost by default because they use old software with known vulnerabilities.

Ever signed up for a small forum? The password you used is already on a dump somewhere.

I’ve probably got it.

Sorry.

A 1 terabyte ( TERA) dump w/ data from 1000s of breaches was uploaded to raidforums in January.

You probably heard of collection 1 bc of @troyhunt and @campuscodi. You probably missed collections 2, 3, 4, 5, and more because… news.

It had BILLIONS of usernames and passwords.

So that’s the "credential." On to the stuffing

Now I have files with billions of usernames and passwords & I want to see if any of those work on http://whateversite.com 

I can’t do this by hand, it's not worth it. That's where automation (a.k.a. "bots") comes in.

Side note! The text files with usernames and passwords? Those are called "combolists"

I made a thing: http://combolist.org 

Pro Tip: don’t generate fake combolists and sell them on the dark web. They don’t like that.

I can use dev tools like selenium, puppeteer, cURL, or phantom to run combolists against a login URL.

"But wait" you say. "That would mean you'd need to make millions of requests just to find a few accounts."

Yep. It’s often less than a ~1% success rate.

Requests are cheap & popped accounts are valuable. They sell from $1-2 to $100+

Accounts with loyalty points are huge (e.g. airline miles).

Accounts with digital goods like Fortnite or League of Legends skins can sell for more than you'd think.

If the account can interact with others (e.g. w/DMs, comments, or forum posts) then I can go phishing.

I can spam, influence, or use one account to boost another.

If there is PII I can use it to take over your other accounts.

The more I know about you, the more I can *be* you

Accounts that can transfer points or real $$$ are top-tier because they facilitate money laundering.

But EVERY account has value, no matter what.

The age of an account and its history of activity before getting popped is valuable on its own.

We hear about bots on Reddit, Facebook, Twitter, etc

"Coordinated inauthentic behavior" is what they call it.

The best bots come from real accounts that have been popped and resold. Those bypass automated bot detection algorithms. Because they're not 100% botty.

But CAPTCHAs! CAPTCHAs block bots, right?

Well, no, they don’t work anymore. It's actually easier to bypass CAPTCHAs as a bot than it is as a legitimate user stuck going through 27 different stages of "Select the crosswalk" puzzles.

and bots don't get anxiety.

Don't believe me? Sign up for deathbycaptcha or 2captcha and get your API key today.

Also check out

But MFA! A bot can't get passed MFA even if it has the right password!

That's true, but people who know enough to turn on MFA but not enough to use unique passwords know enough to be confident but not enough to be effective.

They are perfect targets for social engineering.

It's not guaranteed but, as an attacker, I can keep trying until it works.

Credential stuffing attacks need to be cheap to scale. Once I have your username & password the cost/value changes.

My attack can become more manual because my expected return is higher.

But just block all bots! There are dozens of anti-bot companies out there!

Bots are just the symptom, not the cause. The cause is criminals motivated by money. You can’t just "stop" criminals.

And, seriously, if Google can’t do it with all their data then it’s not easy.

Advanced credential stuffing == sophisticated fraud.

There is no silver bullet against financially motivated, sophisticated adversaries.

Most companies' fraud teams are not equipped to deal with fraud at this scale and app devs don't even know the problem exists.

If you reuse passwords you *will* get popped.

Not because you're valuable. Attackers don’t care about you. They don’t know anything about you.

These attacks don’t target *you*, they target *anyone*

All of us are in the net, and those that reuse passwords get caught in it.

You can accept that now and protect yourself or gamble that "it won’t be that bad"

It might not be but, then again, it might be really bad. Why take the risk?

Use a password manager, write your passwords down, or use some kind of brain-algorithm. Anything.

Thanks for listening. Tip your servers & change your passwords. Put me out of a job, please

~fin~