How Behavioral Biometrics Thwart Credential-Stuffing Attacks
(Note to readers: This is the first part of a new blog series about how behavioral biometrics detects and stops specific cyber threats. Today’s blog focuses on credential stuffing.)
When are you really not you? When you’re the victim of a credential-stuffing attack – which is a common occurrence these days.
One quarter of organizations have experienced such an attack, and in fact, 95 percent of organizations who were targeted faced anywhere between 637 and 3.3 billion attempts. Ironically, the source of this research – Verizon, from its widely followed, annual Data Breach Investigations Report – was compromised in a recent series of high-profile credential-stuffing incidents. The hacks resulted in the accessing of customer names and passwords linked to Verizon Visible, the wireless giant’s budget offering, to log into Visible accounts; change victims’ passwords and shipping addresses; and then purchase expensive phones.
Credential stuffing has emerged as a major source of headaches for chief information security officers (CISOs) because, frankly, users are making it too easy for the bad guys: Two-thirds of adults either reuse the same password for all of their accounts or multiple accounts. These security lapses have impacted the financial sector in particular, with credential stuffing representing the greatest share of cyber incidents for the industry at 41 percent. As a result, these organizations have experienced downtime, loss of customers and reputational damage – with the average company losing $6 million a year because of the attacks.
For cyber criminals, credential stuffing serves as a superior version of brute-force attacks. Brute-force attacks are effective to a certain degree, with hackers repeatedly “guessing” various usernames and passwords that are listed in massive “dictionaries” of popular letter, number and symbol combinations. But credential stuffing is like a “smarter brother” of brute-force assaults because it removes the guess work and seeks out login names and passwords which are already in use. Such information is readily available for sale in the black market, thanks to the aforementioned wealth of heavily repeated credential re-usage.
This puts CISOs in a difficult situation, especially with increased work from home arrangements continuing to blur the lines between employees’ work and personal lives, leading to the routine usage of company network-linked devices for activities such as online shopping and banking.
That’s why CISOs and their teams should consider behavioral biometrics as a critical component of their security strategy and solutions portfolio. Behavioral biometrics deliver an additional layer of defense that unfailingly thwarts credential stuffing because they do not rely on static or spoofable data. Instead, they successfully authenticate access attempts with superior accuracy by building user profiles based upon how employees or customers physically interact with devices.
Like fingerprints and snowflakes, every profile is its own because no two individuals hold a smartphone, swipe a screen, type on a keyboard, move a mouse, etc., in the same manner. This creates a distinct, physical signature for the profile that hackers and their bots simply cannot imitate. What’s more, behavioral biometrics greatly improves user experiences because it removes tedious steps such as attempting to remember and then type in passwords dozens of times a day. These steps cause digital friction which customers and employees would like to avoid.
With our behavioral biometrics deployed, detecting bots and automation becomes elementary. Not only is it possible to immediately separate bots from humans, but our machine learning engine also categorizes it, and automatically groups bots by their behavior. This gives you a full view of all types of automation used to access your system, and how common they are, from benign fintech apps to malicious credential stuffing. For a simplified breakdown of what bots, like credential stuffing, look like when compared to average user traffic through behavioral biometrics, see Figure 1 below.
Figure 1 Categorized automation (left) versus normal traffic (right)
Ultimately, behavioral biometrics solutions confirm that you really are you – with absolute certainty – and not a credential-stuffing threat. If you’d like to find out how we can help your company achieve this level of optimal, user experience-friendly cyber protection, then please contact us. Meanwhile, look for the next blog in our series that will be published soon to address social engineering attacks.
If you would like to learn more, please contact me at email@example.com or check out my YouTube talk about Credential Stuffing and Brute Force Attacks.