Josh Horwitz, COO, Michael Greene, CEO and Mike C. Wilson, CTOThe cyberthreat landscape continues to evolve as hackers find new vulnerabilities and methods of attack. A particular type of attack, known as credential stuffing, has recently increased significantly. Between November 2017 and June 2018, over 30 billion malicious login attempts of this type were recorded.
Credential stuffing is a technique where an attacker uses automated scripts to try stolen login credentials (password and user name combination) against a various target sites or services. The reason this works is that most people reuse the same credentials on multiple sites. This means a breach from one company creates a domino effect for other companies.
“Even if your site hasn’t been breached, your system is at risk if your customers and workforce are reusing the same passwords on other sites,” says Michael Greene, the CEO of PasswordPing.
Even though this type of attack is caused by the user’s own choice of password, the organization feels the impact. Credential stuffing and account takeover cost organizations millions to tens of millions of dollars in fraud losses annually, according to the Ponemon Institute’s “The Cost of Credential Stuffing” report. Beyond finanicial loss, the impact also includes damage to brand reputation and an erosion of trust.
Credential stuffing and account takeover are extremely difficult to defend against because attackers are using valid credentials. PasswordPing is a cybersecurity company that addresses the password reuse threat by helping organizations identify when their customers or workforce are using compromised credential data. The solution is applied in real-time by checking each login against billions of previously exposed username and password combinations that would otherwise be accepted.
Here is how it works: At the login page, a user enters their username and password.
PasswordPing makes it easy to identify exposed credentials, harden the password layer, and block account takeover attempts without adding adding friction to the login process
In milliseconds after the credentials have been submitted, PasswordPing identifies if the credentials were previously exposed in a 3rd party data breach. If so, the user is informed and prompted to reset their password, or access to sensitive information may be limited until secure credentials are established.
A major retailer discovered cybercriminals were using credential stuffing to access customer accounts and make fraudulent purchases. The client was already offering multi-factor authentication, but few users had enabled the option. The retailer came to PasswordPing for a solution that would prevent account takeover with minimal disruption for their customers. The solution was introduced to quietly check the user’s credentials behind-the-scenes. When compromised credentials were found, they required the customer to re-enter any previously stored credit cards to avoid authorized purchases.
“Passwords continue to be able to provide an important authentication layer alone or in combination with other factors. Password based security, like all security measures, needs to regularly evolve as threat methods change,” says Josh Horwitz, the COO of PasswordPing. “By continually checking user accounts against compromised credentials and screening new passwords to ensure they are not exposed, organizations dramatically improve efficacy of password-based security.”