Guest article written by Matias Woloski, Co-Founder of Auth0

Posted 25 June 2020 by

“Auth0 is in a unique position as an aggregator of identity and login data, to see security trends across our customer base. Today, roughly 67% of our authentication traffic is deemed suspicious, meaning, it looks like a cyberattack.”

Cyberattacks are as old as the internet itself, with creative hackers continually refining their tactics to steal and sell user data. How technology has evolved to thwart these attacks garners significantly less attention than the breaches themselves. Little do many security teams know that they have an armoury of tactics at their disposal to stop fraudsters in their tracks.

Matias Woloski CTO, Auth0

From brute force to bots

Early brute force attacks guessed passwords in a series fashion to try to identify the correct one. It takes forever, is expensive computationally, not very effective, and easy to mitigate because you can see massive spikes in activity and just block it. Then password lists became popular where instead of just guessing at it, hackers would have massive lists of common passwords and try to brute force versions of them. 

A key development was the use of botnets and automated tools. Traditionally, brute force-type attacks are easy to mitigate, but once you spread them across a huge number of bots – where each bot has its own IP and most of them are recycled from residential IP addresses (not blacklists) – one bot sending five requests every ten minutes doesn’t look that suspicious. 

Multiply that by ten-thousand, and you’re getting somewhere, and the victim site doesn’t really notice. It’s not like your company’s internal records are one day posted on the internet. It’s a slow attrition of user accounts that you may not be aware of. How does this happen?

The hacker supply chain

In most cases of cyberattack, identity isn’t just the safe – it’s the keys. The use of stolen credentials is one of the most common methods used in observed data breaches according to the 2020 Verizon Data Breach Investigations Report. Massive breaches create lists of thousands of usernames and passwords, which hackers will aggregate into mega lists with multiple billions of credentials.

We know people reuse their passwords. So, hackers simply take credentials leaked in data breaches and try them against other sites. They do this in an automated fashion that is called a credential stuffing attack, so that they can try thousands of credentials over time. It’s really a numbers game. If just 0.01% of a massive list of credentials are reused on a second website, you can still take over a significant number of accounts. These could be streaming subscriptions, rewards points (as in the case of a UK supermarket), or even retail customer accounts to buy up an entire line of limited edition trainers, called “sneaker botting”.

Security is like an onion

You have to think of security in layers if you really want to defend against credential stuffing attacks. If you see a huge spike in failed logins, that’s a telltale sign of a credential stuffing attack. If you’re getting traffic from IP addresses that we know are associated with known threat actors, you might want to block them or institute some kind of CAPTCHA to help mitigate bot activity. You need those first layers of defence.

Good security hygiene, like testing for known, breached passwords among your user base is a second layer of defense. Then multi-factor authentication (MFA) is a third layer defense. If you have all three, you’re in pretty good shape, and you can minimise friction for users by prompting MFA only when an action is deemed suspicious.

As security vendors, we need to take mitigation techniques like MFA that introduce more friction and make them smarter. In an ideal world, a customer only encounters more friction occasionally when it’s more necessary. Instead of triggering MFA every time a user logs in, trigger it only when it makes sense. If you’re a UK company and most of your user base is in the UK or Europe, but you see huge spikes in traffic from Vietnam or Thailand, ask for additional verification.

Most people who use the internet have had an account compromised at some point, and in all likelihood, that was through some type of credential stuffing attack. Companies across the public and private sectors are just starting to wake up to this now because they’re dealing with very real and very immediate consequences. We’re dedicating significant resources to helping CISOs and security teams stay a step ahead even as threats evolve.

Matias Woloski is CTO and co-founder of Auth0, a platform to authenticate, authorise, and secure access for applications, devices, and users. Follow him @woloski