Interview Selects 3.13.20
Ep 8 | 3.13.20

Justin Harvey from Accenture on credential stuffing.


Dave Bittner: And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, it's great to have you back. I wanted to touch base with you today on credential stuffing and how folks can protect themselves against it. Can we just start off at the beginning here? What are we talking about with - when we say credential stuffing?

Justin Harvey: Credential stuffing is where an attack group - typically cybercriminals - want to steal identity information or even, in some cases, credit cards or create fraudulent transactions on e-commerce sites. And the way that they do this is they go out on the public internet, and in some cases, even the dark web. And they download huge files of email address and password combinations. And these files exist out there through intentional dumps from other attack groups. And they're freely available out there. In fact, there are even some websites that advertise entering your email address.

Justin Harvey: And we can tell you how many times you've been compromised on these e-commerce sites because these dumps become the public domain, essentially, when they hit the internet, a lot of times. So these adversaries grab those large files, and then they write scripts to try each of these username and password combinations against your e-commerce site. There are ways to prevent this, and in some cases, maybe if not prevented, then slow it down to a manageable level so that you can take action.

Justin Harvey: So the first and the best course of action is to implement multifactor for your customers. Now, I know that there may be some revenue people out there that are going to be saying, well, Justin, that's going to affect the customer experience. And we're going to see a certain percentage of lost revenue because our customers can't figure out multifactor. And I'm going to say, there's two ways to go about this. The first way is yes, you can take that little bit of customer experience hit, or you can wait until your site has become a victim of this and it becomes newsworthy. And you take the brand damage, or you take the hit of that.

Justin Harvey: And in some cases - take the EU, for example - there could be a GDPR violation by not taking appropriate steps. So multifactor is the best course of action. It doesn't matter if it's an SMS, Google Authenticator or CAPTCHA or image selection. But there's got to be some way to verify the next step of identity after you put your email address and password.

Justin Harvey: One really effective way to seeing how many of your users have been affected by this is to essentially crack your own passwords. And what I mean by that - the way to go about this is to talk to your threat intelligence provider. I know we do this at iDefense at Accenture where our customers will ask for the latest dump files out there - the millions of usernames and passwords combinations - and they'll put that into their system and essentially run the same encryption protocol on the dump file.

Justin Harvey: And then they take each encrypted password and compare it against the valid encrypted passwords on their own site. And that way, if there's a match, you know that that user has reused a password somewhere else on the Internet that there's - where it's been publicly available. And then you can do a few things. You can lock that user account, you can send them a helpful email, or you can reset their password and send them an email that they need to essentially reset or unlock that account.

Dave Bittner: Now, what about things like rate limiting - just not letting people, you know, pound that login with the - with attempt after attempt?

Justin Harvey: You know, it's funny you say that. I was just - I literally just worked a case on that last month. And there are products out there in the market that could do that. I think that this client was working with Akamai. They have something called the Bot Manager, which looks for anomalous patterns in traffic in order to identify that. But one way to get around that - and it takes a little more time, but - and it take a bigger swath of hosts that the adversary has access to, but they can do this in a low and slow manner.

Justin Harvey: In fact, there's also ways to do this through using human beings instead of a script. You could even farm this out to 10, 20, 100 people, perhaps, in low-wage countries in order to run the attack yourself. So rate limiting is definitely recommended. It is effective, but it is not quite as effective as multifactor. And I wouldn't put all your eggs in that basket.

Dave Bittner: Yeah. All right. Well, Justin Harvey, thanks for joining us.

Justin Harvey: Thank you very much.