You shouldn’t assume multi-factor authentication will protect your accounts from credential stuffing attacks, according to Gerhard Giese at Akamai. Credential stuffing is a type of brute-force attack in which attackers use automated tools to test thousands of previously breached credentials against a login portal. Since many people reuse passwords across multiple accounts, the attackers have a better chance of guessing a correct combination than if they started from scratch.
“A thriving underground economy exists for buying, selling, and exploiting compromised account credentials,” Giese writes. “Billions of stolen credentials are available for purchase on the dark web. Free automation tools like Sentry MBA or SNIPR make it easy for bad actors to orchestrate logins and validate stolen credentials. And low-cost "botnet as a service" platforms enable criminals to carry out complex credential stuffing campaigns at scale.”
Multi-factor authentication (MFA) is one of the best ways to prevent attacks that exploit compromised credentials, but it isn’t foolproof. If an attacker guesses the credentials to an account protected by MFA, they won’t gain access to the account immediately, but they will know that they’ve come across a valid set of credentials. They can then launch targeted attacks to trick the victim into granting access to the account.
“With many MFA implementations, users first enter a user ID and password combination, and then are prompted to enter another piece of evidence like a code sent via email or SMS,” Giese explains. “A bad actor can exploit MFA to verify a user ID/password combination (most MFA solutions validate the user ID/password combination before generating the challenge code). With the user ID/password confirmed, the perpetrator can target the victim directly via a spear-phishing attack, sell the validated credentials on the dark web, or attempt some other malicious act. For comprehensive protection, introduce a multilayered, defense-in-depth security architecture, combining MFA with other safeguards.”
Users need to be on the lookout for the techniques attackers use to bypass multi-factor authentication. New-school security awareness training can give your employees the knowledge they need to protect themselves.
Akamai has the story: https://blogs.akamai.com/2020/06/mitigating-credential-stuffing-attacks-in-the-financial-sector.html