Credential stuffing attack leading to account takeover
December 05 2023

A Defense-in-Depth Approach to Stop Credential Stuffing Attacks 

The most popular mobile and web apps in the world, upon which billions of consumers rely, are built upon API architecture. These apps access account data and perform transactions entirely through API requests to back-end servers.  However, APIs have weak native security, and supplementary security solutions have gaps.  This opens the door to credential stuffing, a tactic that enables hackers to perform account takeovers and steal funds or sensitive data.  The fraudulent activity resulting from these attacks is extremely costly to the application providers and causes a terrible end-user experience.  Network obfuscation, which makes external API endpoints undiscoverable and inaccessible to threat actors, applies defense-in-depth principles to API security.  Solutions using obfuscation present a novel and effective way to stop credential stuffing attacks and reduce the costly remediation burden.  

API Architecture is Everywhere and Insecure

Web and mobile applications are now the principal way consumers access key services, including banking, brokerage, retail, travel, streaming, and gaming.  API requests to the backend servers facilitate authentication and data interchange.  All of these apps depend on secure API connections to keep PII and transaction data safe and account access private.  API endpoints require requests to have a specific format and cryptographic key to generate a response, which is meant to restrict access to bona fide parties. 

Unfortunately, it’s quite straightforward to forge API request syntax, and API keys can be stolen and reused.  API functionality is thereby exposed to hackers, and the only remaining obstacle to accessing your bank account is the application login.  Lucky for hackers, the dark web is a criminal marketplace of 24 billion username and password pairs, stolen in various hacks over the years. Since consumers tend to reuse their credentials across sites, the stolen logins have as high as a 2% success rate in account takeovers.  

What is credential stuffing?

Credential stuffing occurs when cyber attackers use automation to insert stolen usernames and password pairs into a web or mobile application’s authentication systems. These are usually high-volume programmatic authentication requests directly to the API.  Because the fraudulent requests are formatted properly and use a valid API key, the back-end systems recognize them as valid authentication attempts.  These systems will grant access when presented with valid credentials, even from a fraudulent source.  Leveraging databases of credentials from prior breaches, attackers rely on consumers reusing the same password across multiple applications. 

Hackers commonly use bot networks to launch credential stuffing attacks to perform the attack at an extremely large scale.  Threat actors also use bots to simulate the diversity of consumer devices, locations, and human interactions that resemble authentic login attempts. The ability of attackers to generate correctly formatted authentication requests and to supply contextual information that mimics human interactions makes it very difficult to separate the genuine from the fraudulent.  

Because credential stuffing attacks are effective, attackers attempt them at high volume and frequency.  It is not uncommon for the scale of such an attack to overwhelm the target servers with requests in a way that mirrors a DDoS attack.  According to one report, credential stuffing accounted for 34% of all login attempts during a recent time period. The same report cited 10 billion credential stuffing attacks in a single calendar quarter.  

The adverse effects of credential stuffing attacks

Credential stuffing attacks are not only frequent and challenging to stop but are also costly to affected organizations.  Some typical adverse effects arising from credential stuffing attacks include:

  • Unauthorized access: Attackers use the credentials to access sensitive information, like personally identifiable information (PII) or intellectual property.
  • Account takeovers: After logging in as a legitimate user, the attackers can change passwords, giving them sole control over the account. 
  • Data theft: Attackers use the account to download and steal sensitive data, giving them a way to make money by selling it on the Dark Web. 
  • Financial losses: Stored value in brokerage, banking, credit, or loyalty accounts can be withdrawn and stolen.
  • Fraudulent transactions: With access to consumer accounts, threat actors can engage in purchases, returns, and transfers to extract account value.
  • High cost of remediation: In the aftermath of a data breach, the organization faces financial expenses arising from system recovery, notifying impacted customers, and legal fees associated with customer lawsuits.
  • Reputation damage: New reports of the data breach harm how the public views the company. 
  • Customer churn: Customers may lose trust in the organization, causing them to switch their business to a competitor.
  • Regulatory action: If a regulatory investigation indicates that the data breach arose from ineffective cybersecurity, the organization may have violated a legislative or regulatory compliance requirement and face fines or other sanctions. 

Why traditional risk API security solutions fail

Organizations try to stay one step ahead of API threats, seeking to embrace a defense-in-depth strategy.  However, they often find that the risk mitigation strategies provided by enhanced authentication technology and API security solutions often fail to achieve their security objectives. 

Multi-Factor Authentication (MFA)

MFA is the process of requiring users to provide two or more of the following before granting access to resources:

  • Something they know (password)
  • Something they have (mobile device, token)
  • Something they are (biometrics like face ID or fingerprint)

Dual factor authentication is the most common implementation of MFA.  While significantly more secure, it is by no means foolproof.  Hackers have developed social engineering methods to defeat dual-factor authentication.  Also, end-users often resist the added inconvenience of MFA, and help desks are overburdened with frustrated customers.  In the competitive world of consumer banking, many leading players have opted out of requiring dual-factor authentication for fear that friction in user experience will lead to customer churn. 

Web Application Firewalls (WAF) 

A WAF monitors and analyzes all HTTP communications to block risky communications that attempt access to an application from the internet. These systems are effective for a broad range of threats but also provide features that reduce the threat of credential stuffing.  WAFs can provide rate limiting, blacklisted IP ranges, and HTTP request analysis that can be successful in blocking fraudulent traffic.

A key challenge is that WAFs are a blunt instrument against credential stuffing that is not wholly effective.  WAF filtering capabilities are straightforward for hackers to navigate around. Administrators must configure a ruleset, or signature, that aligns with known threats for the WAF to block them effectively.  However, adversaries continually change their patterns and behaviors, and WAF signatures rapidly become outdated. It is onerous for admins to manage the continuous changing of signatures, so they are often outdated and ineffective.  

Bot Detection

Bot detection tools analyze technical and behavioral visitor data, like user agent, IP owner, geolocation crawling speed, and crawling frequency. These systems search for activity or technical markers that do not align with plausible human behavior or device patterns.  Since threat actors use bots to deploy credential-stuffing attacks, bot detection technologies can alert the security team to anomalous activity and block requests. 

Threat actors have found ways to defeat most or all of the bot detection tactics.  When they can’t beat the defenses outright, they often appear real enough to be ambiguous.  Blocking the pool of ambiguous requests would likely block legitimate users as well.  Hackers use proxying and rotating IP addresses, inserting irregularity and human-like behaviors into request activity, and spoofing or blocking device fingerprinting.  Through this arsenal of tactics, attackers ensure that at least a portion of fraudulent requests penetrate the defenses. 

API Security Platforms

API Security Platforms often have the threat detection features of WAF and bot detection aggregated into a single solution, along with other utilities to manage and monitor API attack surface. They function in part as command and control consoles to manage a host of security features, but do not significantly expand the defensive capability set beyond WAF and bot detection.  As a result, for the same reasons that the above-listed API security solutions fall short, so do API security platforms.  

The fundamental insecurity of external API endpoints

External-facing APIs traditionally have three lines of defense against account takeovers and other forms of abuse. While this seems like a defense-in-depth posture, it is not, because each of these lines of defense is defeatable.  Hackers can steal the API key and reverse engineer the proper request format. They overcome application-level authorization hurdles by obtaining millions of passwords through illegal channels and using credential stuffing attacks.  And finally, filtering requests via various methods is only partially successful, allowing a portion of the fraud to pass.  

At the heart of the vulnerability problem, external APIs are broadly discoverable and accessible to anyone.  This is particularly true for APIs serving consumer applications such as mobile apps.  In the current mode of operation, it is necessary to ensure that all legitimate users can access the service anywhere from any device.  Mobile apps and their associated APIs are particularly exposed to this challenge.  Without any gating of access to the API endpoint at the network level, practitioners are reliant on a patchwork of security solutions that have costly gaps.  

Network obfuscation: defense-in-depth for API security 

Network obfuscation cloaks connected assets and data transit to shield them against interference from threat actors. This technology can make external APIs discoverable and accessible only to authorized parties.  Direct attacks on APIs cannot connect, let alone do harm.  With this approach, apps create a private connection with their API backends, preventing the access necessary for API fraud. The key weakness of external APIs – their openness – is thereby addressed. 

Several network obfuscation techniques make network assets harder for malicious actors to discover and target:

  • Secure network tunneling: creating private network access between authorized mobile app users and the associated APIs
  • Rendezvous connections: establishing outbound connections that require no open ingress ports makes API endpoints inaccessible to threat actors
  • Stealth routing techniques: multi-layer encryption, randomized ephemeral circuits, decoy data injection thwarting interception, and inspection of API calls.

Network obfuscation provides defense-in-depth for API security and stops credential stuffing cyber attacks by adding a second network level authentication. It provides the following defensive benefits:

  • Blocking attackers from intercepting API calls so they can’t interrogate or enumerate the API;
  • Blocking attackers from accessing API endpoints so they can’t query the logic and
  • Blocking unauthorized access to the API at the network level by requiring the use of a proprietary transport protocol.

SecureCo: credential stuffing protection through obfuscation

SecureCo provides the only application of network obfuscation to API security commercially available. SecureCo’s solution is as differentiated as it is effective, radically reducing the exposure of API endpoints to threat actors. SecureCo’s solutions work seamlessly with existing security and network systems as a defense-in-depth solution to stop fraud and account takeovers.  To learn more, view our API Protection Solution Brief

To see how our combination of proprietary and battle-tested obfuscation techniques can solve your API security challenges, request a demo.

API White Paper