In September 2020, Dunkin’ doughnut and coffee shops franchisor, Dunkin’ Brands Inc., paid $650,000 in penalties and costs as part of a settlement with the New York State Attorney General after fraudsters accessed 10s of thousands of customer accounts, many of which were linked to “DD” loyalty cards.
The breach began as early as 2015, with bad actors compromising Dunkin’ through an attack method known as credential stuffing, in which targeted accounts were accessed by inputting usernames and passwords stolen via breaches of other unrelated websites and online services. While a third-party app developer had alerted Dunkin’ about the compromise of an estimated 20,000 of their accounts over just a five-day sample period, unfortunately Dunkin’ “did nothing to protect the nearly 20,000 customers that it knew had been impacted in the attacks or the potentially thousands more (it) did not know about,” according to a statement in the Attorney General’s settlement announcement.
Enterprise chief information security officers (CISOs) and their teams should take heed of such cases, as credential stuffing has become the more sophisticated and cost-effective variation of brute-force attacks. In a brute-force attack, intruders repeatedly “guess” usernames and passwords using massive “dictionaries” of commonly used letter, number and other character combinations. But credential stuffing goes beyond mere guess work. The login names and passwords have already been in use and are often still valid after being purchased in volume over the black market. Since employees and customers typically re-use their credentials across office and personal accounts, these stolen credentials offer potent, cybercrime ammunition even if some affected users or businesses catch on and freeze or reset accounts.
Today there are literally more than 15 billion breached credentials in circulation – along with low-cost tools and botnets designed to leverage them, ensuring a positive return for fraudsters. Even with a success rate in the low decimals of a single percentage point, once “in,” criminals use these accounts to steal money and information, and then profit by reselling accessible account data in bulk to other criminals and syndicates.
Given their success rates, adversaries are incented to continue and increase these practices:
- Akamai has reported that in July, nearly 27 billion credential stuffing incidents occurred in the first quarter of 2020 – up 256% year-over-year.
- In September 2020, the FBI indicated that it received “numerous” reports on credential stuffing attacks on U.S. financial institutions, with some 50,000 accounts affected since 2017.
This presents a tricky puzzle for CISOs to solve. While they can invest heavily in system security and education, they have no control over what their employees and customers do on their own, non-business-related activity – e.g. visiting breached sites that may be offering up their shared credential data across the dark web or syndicates for stuffing attacks.
What’s more, organizations are challenged when trying to force employees and customers through cumbersome authentication “steps” with endless passwords, pins, tokens, and CAPTCHA challenges. Data shows that the resulting friction will inevitably negatively impact employee productivity, engagement and customer experiences (with the latter possibly leading to customer churn). In addition, an exclusive reliance on passwords and other traditional safeguards makes it difficult to distinguish “bad” automated bots or browser activity (as launched by attackers) from “good” (employees or customers simply using an automated app to streamline work or shopping/payment processes).
To respond, organizations must think beyond antiquated tools and approaches. Credential stuffing is made possible by the combined efforts of humans and machines, so modern solutions designed to thwart this should also combine these two factors. Fortunately, such solutions exist now and are readily available in the form of an emerging innovation: behavioral biometrics.
Through behavioral biometrics, CISOs and their teams have the option to either add another layer to traditional defense approaches – or to dispense with passwords, tokens and CAPTCHAs entirely. Instead, they authenticate and receive instant, unfailingly accurate answers to the “are you really you?” question by building user profiles based upon how employees or customers physically interact with devices. Like fingerprints, every profile is unique to the individual; because every person creates their own distinct signature in terms of how they grip a device, swipe a screen, type on a keyboard, move a mouse, etc.
With behavioral biometrics, security teams can achieve high-confidence authentication while:
- Dramatically reducing friction
- Improving user experience
- Detecting “bad” bots from good ones because malware, credential stuffers and fintech aggregators all look very different when behavior is analyzed
While cyber-criminals view credential stuffing as a preferred “go to” technique, we know they’ll continue to come up with new techniques. And we can’t stop this. But we can also continue to rethink our techniques, too. By moving beyond static information that can be easily stolen and investing in behavioral biometrics, we can take that next step to defend our digital assets with something much more difficult to steal and replicate: unique and dynamic attributes of ourselves – how we behave.