On June 27, 2022, the Global Privacy Assembly (GPA), an association of over 130 data protection and privacy regulators and enforcers, published the first intergovernmental guidelines on credential stuffing asserting that credential stuffing poses a risk to personal data on a global scale and that data protection laws require that organizations protect against it.
F5 is proud to have participated in producing the guidelines and appreciative of the GPA’s acknowledgment. F5 has long recognized the threat of credential stuffing. It was F5’s Sumit Agarwal who coined the term credential stuffing when serving as Deputy Assistant Secretary of Defense at the Pentagon, an insight which led to the founding of Shape Security (now part of F5) in 2011 as the premier bot management vendor. Today, F5 continues to protect the world's largest banks, e-commerce retailers, airlines, hospitality providers, and social media companies against credential stuffing and associated threats.
The new guidelines, published by the International Enforcement Cooperation Working Group (IEWG), a permanent working group of the GPA, documents how credential stuffing is carried out, explains the attacker economics driving its prevalence, highlights why it is a global concern and needs to be incorporated into data privacy law, and outlines several methods for mitigating credential stuffing.
The GPA guidelines build on several recent warnings by government agencies. On January 5, 2022, the New York State Office of the Attorney General issued a Business Guide on the rampant rise of credential stuffing and the need for companies to take preventive measures. On September 15, 2020, the Securities and Exchange Commission issued a Risk Alert on the dramatic increase of credential stuffing against SEC-registered investment advisers and brokers and dealers. On September 10, 2020, the United States Federal Bureau of Investigations issued a Private Industry Notification warning of a rash of credential stuffing attacks against US financial institutions affecting over 50,000 accounts and costing businesses an average of $6 million a year in notification and remediation costs alone. These incidents continue to impact Chief Privacy Officers as evidenced by the recent CPO article documenting a massive credential staffing attack against General Motors.
Credential stuffing is a cybercrime whereby criminals test stolen credentials against websites in order to take over accounts. Criminals perform these attacks on a vast scale using automated tools referred to as bots. It is an extremely effective cybercrime with a high ROI because: 1) stolen credentials are so readily available, 2) as many as 60% of people reuse passwords across accounts (according to the FBI), and 3) many organizations rely on ineffective mitigation methods such as CAPTCHA and IP deny lists.
The number of stolen credentials is staggering. In 2020 alone, 1.86 billion credentials were stolen, according to the F5 Labs 2021 Credential Stuffing Report. The GPA guidelines point out that mega breaches, such as the 2013 Yahoo breach, have exposed billions of credentials. Attackers can exploit these stolen credentials for years before breaches are reported publicly.
"...Private sector research identified 55 billion credential stuffing attacks in the gaming industry between November 2017 and March 2019, equating to over 3,000 million attacks per month and over 107 million attacks per day. Further research identified 193 billion credential stuffing attacks globally during 2020, which equates to over 16,000 billion attacks per month and over 500 million attacks per day."
GPA guidelines also point out that victims of these privacy breaches may experience harm beyond monetary loss, including reputational damage caused by disinformation or the making of false statements about an individual while using their compromised account. It is easy to imagine how these privacy violations could ruin lives.
Most significantly, the guidelines conclude that organizations should consider protections against credential stuffing as one of the “appropriate” security measures required by data privacy laws, citing specific provisions in the EU’s GDPR and the United States Federal Trade Commission’s Safeguards Rule.
"Given the evident threat to personal data from credential stuffing attacks (particularly to organisations with user accounts that may be accessed online), and the unauthorised processing/access that could result, the implementation of measures to protect personal data from credential stuffing attacks will generally be required, at least implicitly, under data protection and privacy laws."
The GPA guidelines recommend that organizations consider multiple mitigation methods to protect against credential stuffing:
These are certainly valid techniques that have contributed to mitigating credential stuffing attacks. As you evaluate which approaches would best suit your organization, F5, having innovated in this space for many years, recommends that you consider techniques that effectively mitigate bots in real time without adding friction to the user experience and without requiring an application redesign.
While secondary passwords and PINs, unpredictable usernames, and multi-step login pages add protection, they do so at the cost of increasing user friction. Businesses that want to improve customer conversions and reduce shopping cart abandonment will want to avoid putting obstacles between the customer and the purchase. Guest checkout might help too, but it prevents organizations from providing a personalized, targeted experience. MFA, while effective, also adds friction to the user experience and has been heavily targeted by criminals.
CAPTCHA likewise adds friction and provides a less effective defense than many people realize. CAPTCHA solving services, using machine learning and click farms, make it inexpensive for bots to bypass CAPTCHA. (Read about the adventures of Dan Woods in Tales of a Human CAPTCHA Solver.)
Organizations that have worked with F5 have discovered that IP blocklists and static WAF rules are too difficult to maintain. Proxy services enable bots to utilize millions of valid residential IP addresses. Meanwhile, bots retool within hours whenever they are blocked. Such approaches force security teams into a losing game of whack-a-mole.
Similarly, account monitoring/detecting, incident response plans, and user notifications are all important and need to be part of a bot management program, but these protections are applied after the fact. Fortunately, there are techniques available to prevent criminals from taking over accounts in the first place.
F5 believes in making cybersecurity personal, and credential stuffing attacks—which defraud organizations and devastate individuals—represent exactly the type of problem we’re dedicated to solving. As Dan Woods, the Global Head of Intelligence at F5, points out in Fast Company, these attacks have previously received too little attention. Thankfully, the GPA and multiple privacy agencies are bringing the risks to individual privacy to the fore.
"The Colonial attack highlighted a clear disconnect in public perception and the media narrative around cybersecurity. Cause millions of people a little pain: international headlines. Devastate thousands of families by stealing their life savings in separate schemes: crickets."
In this digital age when so much of our life is stored as data online, we depend on organizations approaching data privacy with the utmost seriousness, a point driven home by increasingly strict privacy laws enacted by governments around the world. Data privacy legislation such as the GDPR demands that organizations take all appropriate measures to defend privacy. Because of what we now know about credential stuffing, these GPA guidelines make clear that credential stuffing protection must be part of any organization’s appropriate measures.