James Thew - Fotolia

How can credential stuffing attacks be detected?

Credential stuffing attacks can put companies that offer online membership programs, as well as their customers, at risk. Find out how to proactively manage the threat.

Twice in the last three months, Dunkin' Donuts -- currently rebranding itself as Dunkin' -- was hit with a credential stuffing attack that affected an undisclosed number of members of its DD Perks membership program. The company said one of its security vendors detected the attack and stopped most of the account intrusions, but it admitted it was possible threat actors accessed some accounts and obtained names, email addresses and DD Perks account numbers. How can a credential stuffing attack like this be detected, and how can enterprises limit their exposure to such threats?

Sometimes it's unclear why people actually need an account for a website, but enterprises and consumers have become habituated to creating and using accounts to track any number of activities on a company website. And as infrastructure security has gradually improved, attackers have shifted their attack methods to abuse legitimate accounts.

Customer accounts or membership programs have privacy and systemic risks, and customers need to remember and manage them. The risks are difficult to assess, and many people will use the accounts to get something at a discount or for free. While these accounts may offer potential benefits, enterprises need to actively manage them.

Dunkin' Donuts offers member accounts as part of its loyalty program, but these risks aren't limited to these kinds of policies. Credential stuffing attacks are one such challenge, and Dunkin' Donuts fell victim to one in 2018 and another in February 2019. Credential stuffing occurs when stolen credentials from one system are used to gain access to accounts on different sites via automated logins.

Companies can decrease the risk of credential stuffing by monitoring authentication logs for any large number of authentication attempts from the same IP address or address space, or by monitoring for specific accounts. Depending on the enterprise's risk tolerance, it may also want to greatly throttle or outright block Tor nodes or more general cloud services because it may be difficult to determine the source of the account.

Some of these steps are being incorporated into risk-based authentication systems to give enterprises options to use for consumer accounts and internal accounts.

Taking proactive steps to avoid attacks

Enterprises may also want to take some proactive steps to protect these accounts from credential stuffing attacks. The cost of membership or loyalty accounts to a company increases drastically when an account is compromised. If an at-risk account can have its password reset before it is compromised, that can help lower the cost.

To address that aspect, companies may also want to check compromised accounts lists from Have I Been Pwned or other threat intelligence services to see if they are at increased risk. If an account and password are on one of the lists, the enterprise could contact the user or the web application could prompt the user to change their password. This notification would most likely be via email, so it would need to be written carefully to avoid looking like a phishing attack.

In addition, to avoid problems, an enterprise may want to require periodic password resets to address potential credential stuffing attacks as part of their overall risk management.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Dig Deeper on Application and platform security