Blog / Credential Stuffing Attack: Not the Kind of Filling You Want in Your Turkey…
Having been in the computer biz for so long, I know a lot of the lingo. Nothing unusual about that; every industry has its own sayings that show up over time. The reason I bring this up is I was reading a news article about a hack the other day. Nothing new about that, as I read multiple articles about hacks every day. Anyway, I got about half-way through it and was suddenly struck by the amount of jargon contained in the article, and which wasn’t explained.
This got me thinking about computer lingo and the volume of it that exists. There is a mind-boggling vast amount of computer terms out there. Some of it is in references to very technical things; some of it has nothing to do with anything technical (like, what’s a “meme”?)
That train of thought reminded me of a newsletter I did a long time about about how the Antivirus industry has changed over the years. That newsletter also went into a lot of the terminology specific to that trade, as well as how it’s grown and changed (IE: “Virus” doesn’t mean the same thing today as it did back in the 1980’s.)
To get back to the article I was reading, it was about a type of hack referred to as “Cred Stuffing” (short for “Credential Stuffing”.) While I know what that is, I decided to see if the piece ever made an attempt to explain what that actually meant (it didn’t.) After that, I went looking around at other stories and made the effort to pay attention to the lingo, to see which ones tried to explain what the different terms meant. Very few made any effort to do so whatsoever.
The Hi-Tech industry is so huge and possesses so much jargon that it’s easy to forget what is (and is not) common knowledge. I’m sure anyone without a background in computers can easily feel adrift, to say the least. That’s one of the big reasons I’ve written this newsletter. There are some very technical and important things that people need to be aware of, when it comes to Computer Security.
This newsletter is about “Cred Stuffing.” More specifically, what is a “Cred Stuffing Attack”?
Cred Stuffing is one of the simplest attacks there is. The attacker takes a preexisting list of usernames and passwords, and tries them all.
That’s all there is to it. Pretty simple, right?
Now ask yourself this: Where did they get this list of usernames and passwords in the first place? That’s easy. They got it by compromising somewhere else and decided to simply use that list, and see if they got lucky.
Not every place on the Internet has strict rules on Security. There’s no need for any if they don’t store detailed information or have anything to sell. There are plenty of forums and message boards out there. Many times, the default user when you sign up for a service winds up being your own email address (some outfits even force you to do this and don’t allow it to be changed.) Everyone knows that most people make repeated use of the same password over and over (Security experts know this only too well, and so do the bad guys.)
So why am I going on about this? Well, at first glance, nobody would think that hacking some small forum website would be worth anything to an attacker, BUT IT IS!
The reason is if they get the list of usernames and passwords for that website, they can start using them on other, more important ones. If they have a login for the place that was compromised, maybe they have the same login for a major website, like Amazon or Facebook. All of a sudden, hacking those little places has the potential for a big prize.
To protect yourself from “Cred Stuffing” (and other attacks), my advice is pretty simple:
1) Use a different “passphrase” for every login you need to create (anywhere.)
Also, make a point of trying not to call it a “password”, call it a “passphrase” whenever you talk about logins. I have done several newsletters in the past about passphrases that you can check out, if you need some advice.
2) If Two-Factor Authentication is offered, use it. This just adds another aspect to a login. You still have the typical username and password, but after that you need to do something else to login. Sometimes you need to enter a code you get through email, SMS or some other way. Whatever form it takes, you basically need to perform an additional authentication level, after typing-in a password.
3) If you can change your username, then do so. If you are forced to use your email address, then so be it. However, if it’s just a default that you can change, then by all means, change it.
I’m not saying that everyone needs to be intensely paranoid about their Electronic Security. I’m just saying that you need to realize that nothing is perfectly secure. So, make good use of whatever Security options are available to you, and don’t forget about the simple ones (the baddies certainly won’t.)
If you have any questions about passphrases and logins, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.