Breadcrumb

How to prevent credential stuffing attacks

Written by

The GoCardless content team comprises a group of subject-matter experts in multiple fields from across GoCardless. The authors and reviewers work in the sales, marketing, legal, and finance departments. All have in-depth knowledge and experience in various aspects of payment scheme technology and the operating rules applicable to each. The team holds expertise in the well-established payment schemes such as UK Direct Debit, the European SEPA scheme, and the US ACH scheme, as well as in schemes operating in Scandinavia, Australia, and New Zealand. See full bio

Last editedNov 20212 min read

A credential stuffing attack occurs when criminals use automated tools to stuff online forms with stolen credentials. Typically these will be either account login forms or checkout forms. Credential stuffing attacks are a very basic form of cyberattack. They can therefore be easily defeated by some basic security measures. Here is what you need to know.

The mechanics of credential stuffing

Credential stuffing attacks are really the digital equivalent of throwing darts randomly and hoping you hit the bullseye. A criminal will buy a package of stolen data. This could be either username and password combinations or payment data such as credit card details. They will then use automated tools to stuff these into forms, hoping to hit a valid match.

The introduction of 3D Secure (in 2001) made it much harder to undertake credential stuffing attacks on checkout forms for payment cards. It could not, however, protect against criminals attacking account login details and then accessing payment data and/or personal data.

How to detect credential stuffing

To ensure the highest level of protection for your website you should always assume that you are going to be attacked despite your precautions. This means you should always be monitoring for signs of a credential stuffing attack.

In general, the best way to do this is to use a web applications firewall. WAFs monitor your host for signs of suspicious activity, including repeated failed login attempts. These are not necessarily a sign of a credential stuffing attack. They are, however, definitely a sign that something is potentially wrong and needs to be investigated.

How to prevent credential stuffing

There are several measures you can take to prevent credential stuffing. Ideally, you should use as many as you can. This will layer and strengthen your protection. Here are the main credential stuffing countermeasures you should consider.

Limit authentication requests

A legitimate user may mistype their password once or even twice. They should not, however, mistype it multiple times. It’s therefore both safe and reasonable to limit users to three failed login attempts. After this, you can impose a time-out and/or force them to reset their password.

Add a CAPTCHA

These can be implemented in several ways. The most common one, however, is to ask the user to tick a box confirming that they are not a bot. Ticking the box gives the service permission to analyse what the user was doing just before ticking the box. This is often enough to tell if the box was ticked by a human or a bot.

Disable autofill

Disabling autofill does go against the conventional wisdom of making it easy for customers to do what you want them to do. On the other hand, it can significantly increase security and this is also appreciated.

One potential compromise is to allow autofill on some fields but disable it on others. For example, you could autofill the delivery address but not the payment data.

Use multifactor authentication

Multifactor authentication essentially means requiring two or more pieces of information to authenticate the user. One of these pieces of information is usually a password. The other can be one of the following:

The answer to a security question
A one-time security code
Biometric data

The problem with security questions is that they tend to be vulnerable to compromise in the same way as passwords. Biometric data certainly has potential for the future. Right now, however, it’s still working on gaining mainstream acceptance among consumers. Currently, the most popular option by far is the one-time security code.

One-time security codes can be delivered in one of three ways. These are:

Text message
Authenticator app
Dedicated hardware (e.g. RSA token)

Realistically, very few businesses are likely to want to issue dedicated hardware. This leaves text messages and authenticator apps.

Ideally, you should encourage your customers to use authenticator apps as these are more secure than text messages. Text messages are, however, a lot better than just passwords and they are accessible to people who don’t use smartphones.

We Can Help

If you’d like to learn more about credential stuffing attacks and how to avoid them, get in touch with our financial experts. Find out how GoCardless can help you with ad hoc payments or recurring payments.