Connect with us

Technology

HOW TO PREVENT CREDENTIAL STUFFING ATTACK

Credential stuffing is a type of brute force attack where the attacker uses an already available credential (i.e. stolen) on another website/system as a login attempt.

For example, a hacker may gain a password-username pair of a Facebook account and then attempts to use the same credential to log in on Gmail or Instagram. The basic premise behind credential stuffing attacks is fairly simple: most people have the tendency of using the same pair of password and username on all of their accounts, and the attacker simply exploits this fact.

Many lists of stolen credentials are now sold and even shared publicly on the internet, and as a result of this phenomenon, credential stuffing attacks have risen in popularity for the past few years.

In this guide, we will discuss how we can effectively prevent credential stuffing attacks and how to protect our account, website, and system from this scary version of brute force attacks.

 

1. Strong and Unique Passwords

The best and most effective approach in preventing credential stuffing attacks is to require the practice of using strong passwords to be mandatory, and advising your users to use unique passwords (i.e. one password for one account only).

As a general rule of thumb, a strong password is 10-characters long and should feature a combination of uppercase letters, lowercase letters, symbols, and numbers. You can also use various password randomizer and password manager solutions to create really strong, randomized passwords (which will also help in using unique passwords for different accounts.)

 

Mike

2. Multi-Factor Authentication

The idea of multi-factor authentication (MFA) or 2-factor authentication (2FA) is to ask for additional (or more) information besides the username-password combination before someone can access the account. So, in the event of a credential stuffing attack, an attacker won’t gain access even if they possess the right credential.

This secondary information can be:

  • Something you have: a USB dongle, etc.
  • Something you know: a secondary password, PIN, OTA code, etc.
  • Something you are: fingerprint, iris, face ID, etc.

MFA is very effective in stopping credential stuffing and brute force attacks in general. However, requiring too many MFA requests can significantly ruin your site’s user experience (UX) and might increase the bounce rate.

Finding the right balance between security and usability is also very important, so you can strategically require MFA only on certain suspicious conditions, for example:

  • Different browser/device/IP address or other signature
  • Login attempt from unusual location or countries that are considered suspicious
  • Blacklisted IP address, IP address that has tried to log in to multiple accounts
  • Obvious bot/scripted activities

 

3. CAPTCHA

Since many credential stuffing and brute force attacks are performed by automated scripts (bots), implementing CAPTCHA can help in blocking these bots in performing their task. However, CAPTCHA is one a one-size-fits-all answer for credential stuffing attack for two reasons:

  1. There are now CAPTCHA farm services where a human worker will solve the CAPTCHA before passing it to the bot, rendering CAPTCHA useless.
  2. Similar to MFA, CAPTCHA can ruin user experience, so it’s very important to use them sparingly.

In general, use CAPTCHA only in specific, strategic scenarios, and you can combine it with other techniques.

 

4. Notify Users About Unusual Activities

Many people don’t realize when their credentials have been stolen, so it may be appropriate to notify or warn the user when suspicious activities are detected.

However, don’t overwhelm users with too many notifications and only send appropriate/important ones. Or else, the user might just ignore or delete the notification, making this approach counterproductive.

For example, if there had been a successful login but it failed the MFA check, then the user should be notified so they can change the password immediately.

It’s also important for your users to be able to view details related to recent logins (date, time, and location). Also, if the application allows simultaneous sessions, the user should be able to view a list of all active sessions and to terminate any other sessions they deem suspicious.

 

5. Fingerprinting

The basic approach in preventing credential stuffing attack is to blacklist IP addresses and/or a range of IPs after a certain number of failed login attempts. However, sophisticated bots can now rotate between thousands of IP addresses, so IP-based detection might not be very effective.

So, we can also fingerprint other factors to determine whether the traffic is a legitimate user, like browser, device signature, operating system, the language used, and more. There are various fingerprinting-based solutions you can use for this method.

The idea is, if the new traffic doesn’t match the user’s previous signatures,  you can ask this client for additional authentication (MFA, CAPTCHA, or others). Keep in mind, however, that a user might share the account with their friends or family members, so implement this method strategically.

In combination with fingerprinting, we can also configure alerts on the login success ratio of suspicious users. For example, a login success rate below 10% is very suspicious, and credential stuffers can reach a close to 0% success rate. Tracking login success ratios can be very effective in detecting credential stuffing attacks.

 

6. Investing In a Bot Detection Solution

One of the most effective approaches in preventing credential stuffing attacks is to use an advanced account takeover protection solution that can effectively detect and block malicious bot traffic attempting the attack in real-time.

Since both bots and humans now use the same browsers and IP addresses, real-time and automated credential stuffing protection is now necessary. Humans can no longer act fast enough to match the bot activities, and this is where AI-powered, machine learning bot detection solutions can be very effective in preventing credential stuffing attacks.

 

End Words

While there is no perfect method that can 100% prevent credential stuffing attacks, the 6 methods we have discussed above are among the most effective in identifying, preventing, and mitigating the effects of potential credential stuffing.

The most effective approach, however, is to have an effective bot detection and mitigation solution that can detect the credential stuffing attempt in real-time. Solutions like DataDome offer a comprehensive bot detection solution that deploys in minutes on any infrastructure, fully automated.

Technology

USING ARTIFICIAL INTELLIGENCE TO ACHIEVE CIRCULAR ECONOMY

By Professor Terence Tse, ESCP Business School

 

It is really only a matter of time before the two main trends, artificial intelligence (AI) and circular economy, would come together. A milestone of this convergence was the white paper “Artificial intelligence and the circular economy”: AI as a tool to accelerate the transition, jointly published by The Ellen MacArthur Foundation and Google earlier this year. It has kick-started the discussion on how AI can be used as a tool to help accelerate and scale our transition to a circular economy. This can be achieved by unlocking new opportunities through improving product and material design, enhancing circularity-based business models, and optimising circular infrastructure. The paper draws on the food and consumer electronics industries to illustrate the circular benefits driven by AI. The forecasted value that can emerge from these is encouraging: up to $127 billion and $90 billion a year in 2030, respectively.

 

The pace will be slow

No doubt these are very good news. It also shows how innovative technologies can take circular economy to the next level. Yet, I believe the path leading there will be full of challenges, not least because, contrary to what general media would like to get us to believe, the development of AI is, in reality, really slow.

 

There are several reasons attributable to this sluggish pace

First, there is a general shortage of AI-proficient graduates. Training up AI researchers takes time. Universities are not churning out data scientists fast enough to meet the job market demand. For those who are graduating, they will most likely be snapped up by the technology giants. Indeed, it has been estimated that some 60% of AI talent are in the employment of technology and financial services companies, leading to a ‘brain drain’ in academia, which in turn, slows down the production of qualified graduates. Small circular economy-based companies (as well as AI start-ups) will struggle to have the same hiring power, as they often lack the ability to match the levels of salaries and prestige offered by large organisations.

Another reason why circular economy-aimed companies, large or small, will struggle to deploy AI is that the technology remains a very expensive investment. AI is, at the moment, far from a plug-and-play technology. Arguably, there are off-the-shelf AI applications available in the market. But what this one size fits-all technology solutions can really do is often very limited and their effectiveness low. Inevitably, for AI to work at an acceptable, value-creating level, it is necessary to integrate it into the existing wider IT system. Customising AI applications to be embedded in the system architecture is very complex and hence very costly.

To make matters worse, the market is seemingly inundated with self-proclaimed AI companies. A recent report has suggested that 40 percent of start-ups in Europe that are classified as AI companies do not actually use artificial intelligence technologies in a way that is “material” to their businesses. As someone who researches and works in the business of AI, I can readily observe this phenomenon has already eroded the trust of many companies, making them increasingly cautious when proceeding with investment and deployment of AI.

 

Gradual developments, not quantum jump

For these reasons above, the adoption of AI, and by extension, in the area of circular economy, will be slow. This, however, does not mean there will be no advancement. Instead of “big bang” new business model creations, AI will most likely produce circular advantages through baby steps in operational enhancement gradually. For instance, one of the important elements in achieving circular economy is better asset management. In a recent research project for the European Defence Agency, my colleagues and I have discovered that there is a wide spectrum of operations for ministries of defence to save money and practise circular economy, from refurbishing and repurposing small military equipment items to reduce waste and minimise the use of virgin materials to extending the service years of capital assets. Unquestionably, the same may be applied to civilian activities. For example, combining the power of AI and drones can extend the longevity of major infrastructure such as reactors and bridges.

Advancements in drone technologies have allowed them to be deployed to take pictures at heights that are dangerous for inspectors to reach. The contributions of AI come from its ability to analyse and identify cracks as well as defects on assets that are not always visible to human eyes from captured images. Consequently, problems are detected before the assets become irreparable, thereby lengthening their lifetime.

A seemingly insignificant but potentially huge possibility of waste reduction would be saving on paper use. In the insurance industry, for instance, there is still a huge reliance on actual paper, with the communications between various stakeholders, including the underwriters, brokers and insured, passing on a large number of physical documents. AI techniques, in particular natural language processing, can help speed up the digitalisation of documents as they can go beyond the point of just reading and processing text to recognising and recording signatures and rubber stamp marks. Little by little, it will be possible to lower paper consumption.

 

The future is now

Both AI and circular economy are by themselves breakthrough ideas that are set to change the world dramatically. Combined, it can be a very powerful force of good. But this can only be achieved if we can synthesise them. For AI and circular economy to work together, it is necessary to educate AI developers to be more familiar with the idea of circular economy as well as making circularity practitioners and researchers more AI-savvy. Holding just half of the equation, we risk missing out on most of the intelligence. After all, no matter how smart machines can be, ultimately, it is the human intelligence – or stupidity – that determines the kind of future that we will be having.

 

Extract of “The AI Republic: Building the Nexus Between Humans and Intelligent Automation”

 

Continue Reading

Technology

THE IMPORTANCE OF CONTEXT IN PRACTICAL AI APPLICATIONS

By looking at a typical AI application, Dr John Yardley, CEO, Threads Software, discusses how AI processes must take account of humans if they are going to replace them.

 

Almost every business is influenced by human sentiment. And despite its embrace of digitisation, the finance industry is no exception. Share prices, currency movements, investment choices are driven not just by economics but by human emotion and the processes the human brain uses to make decisions.  If we are going to replace humans with machines, we must not cherry-pick the bits of human thinking that we can most easily replicate.

The perception of Artificial Intelligence has changed somewhat since Alan Turing coined the term in the 1950s. Turing said if we cannot distinguish a machine’s behaviour from that of a human, then the machine can be said to be intelligent. Nowadays, we seem to be defining AI as computer programs that emulate the human brain rather than mimic human behaviour. Neural networks, for example, are frequently touted as the pinnacle of AI, but if the neural network in your self-driving car causes you to jump a red light,  we would not describe that as intelligent – no matter how sophisticated the algorithm. If the machine is not fooling the human, not only is it not doing the intended job, it could be negatively affecting the human’s view of it.

 

John Yardley

A practical example – Automatic Speech Recognition

Let’s take the application of ASR (or automatic speech recognition, often wrongly described as voice recognition). ASR can loosely be described as getting a computer to transcribe acoustic human speech into digital text. Few would argue that this is an AI task since what we are seeking to do is replace one of two humans involved in some dialogue. If this can be done without alerting the remaining human to the fact that he/she is talking to a machine, then for sure this would meet Alan Turing’s intelligence criteria and, more important, provide potentially enormous benefit.

However, while some parts of the human process for understanding speech can be emulated using ASR, we must accept that the human listener may be using far more information that we are giving the machine. In a physical conversation, humans will be exchanging gestures, looks and body language, not to mention prior familiarity with the topic of conversation, understanding the accent, and the words being used. Presenting a machine with only a pure acoustic conversation is depriving it of a large proportion of the information available to the human. Even in a telephone conversation, humans will have significantly more knowledge than machines.

Many would be surprised just how good computers are at recognising random words and how bad humans are at articulating meaningful sentences. I have shown people ASR transcriptions of their speech and been met with incredulity. Yet when listening to the recording, the speaker is often forced to admit that the computer generally gets far more correct than he or she would give it credit for.  What the speaker and listener forget is how much interpretation they were applying to filter out the “ahs” and “ums” and “rights” and the repeated words, the hesitations, mumblings, and so on, and how much they make use of prior knowledge about each other and the topic discussed. Listeners frequently perceive words that they do not actually hear.  If the same utterances with words in random order (ie meaningless) were transcribed by human and computer, the computer would likely do better.

 

Number crunching is not the solution

The problem we have is that we cannot continually improve the understanding of speech by continually improving the recognition of words. It is like trying to get a car with flat tyres to go faster by putting in a larger engine. The engine is not the critical path and it is cheaper and more effective to pump up the tyres than improve the engine.  So too with speech. In order to behave and understand like a human, the machine needs more information, not better algorithms or more computer power to improve the word recognition.

Many banks would argue that it doesn’t matter if the customer has to repeat an account number 10 times during a telephone banking transaction because it is not costing the bank any more than saying it once.  But here again, the human factors are all-important. It is no consolation that repeating something 10 times might ultimately bring down a customer’s bank charges – eventually the customers will vote with their feet.

 

.. but adding information is.

So what is the solution? The remedy  is that AI must be applied to the problem as a whole, not just to isolated parts. Taking ASR as an example again, by using readily available information contained in email correspondence, speech recognition performance can be improved far more than by improving the ASR algorithm or running it on a bigger computer.  The emails can be used to effectively train the ASR system on the types of words that are exchanged and the subject matter being discussed. In addition, text-based messages can give valuable clues to the grammar being used – the sequences of words, the likely combinations of words, etc.  In short, the context of the discussion.  Being able to share email and voice traffic is already possible, but is not yet being widely applied, and yet could dramatically benefit both financial institutions and their customers by helping a computer better understand the context of a conversation.

Speech recognition is just one example of an AI process that often falls short on expectation. There are many more applications of AI that can be improved by taking a holistic view, not just the bits we like. AI is all about emulating humans, not number crunching. To do this, we need to understand as much as we can about the human process we wish to automate.

Looking at how the human processes information can yield benefits in many areas of IT. For example, some of the largest advances in video data compression came from an understanding of what the human eye can perceive rather than the mathematics of information theory.

In summary, AI is not about building more and more powerful neural networks, it is about convincing a human that the computer is doing as good or better a job than another human would. And to achieve this, we must tap as many information sources that the human has available – which with some lateral thinking are available to the machines too. If this information is not present then we cannot compensate by continuously improving just some parts of the process. We must either find more context or rethink the solution. Until this happens, ASR may be subject to the law of diminishing returns.

 

Continue Reading

Magazine

Trending

Business1 day ago

THE EFFECTS AUTONOMOUS DRIVING WILL HAVE ON THE TRANSPORTATION AND LOGISTICS INDUSTRY

Stefan Spendrup, Vice President of Sales Northern and Western Europe at SOTI    ‘Big thinking’ articles on how to disrupt industries...

Technology1 day ago

USING ARTIFICIAL INTELLIGENCE TO ACHIEVE CIRCULAR ECONOMY

By Professor Terence Tse, ESCP Business School   It is really only a matter of time before the two main...

FINANCIAL SERVICES FINANCIAL SERVICES
Banking1 day ago

WIRELESS CONNECTIVITY POWERING BANKS OUT OF THE STORM

Graham Brooks, Strategic Account Director, Cradlepoint EMEA   It’s now clear the pandemic is going to have a long-term effect...

Finance1 day ago

FROM COVID TO CURRENCY CRISIS?

One hallmark of the United States’ superpower status is the primacy of the dollar. All regimes rise and fall. There...

Top 103 days ago

IS BITCOIN SET TO HAVE A 2017-STYLE MINI BOOM THIS YEAR?

Bitcoin’s price is set to “surge before the end of 2020” with investors keen not to “sleepwalk” through a 2017-style mini-boom,...

Business3 days ago

ACCOUNTANTS HAVE BECOME CRITICAL TO THE SURVIVAL OF BUSINESSES AND THEIR REPUTATIONS DURING COVID-19

Stuart Cobbe, Director of Growth, Europe, MindBridge   The opportunity for fraudulent activity to flourish as finance departments operate remotely...

Business4 days ago

STAY SECURE FROM ANY LOCATION WITH COVALENCE FOR REMOTE WORK

By Andrew Milne, Chief Revenue Officer at Field Effect    As cities across the globe begin to ease their COVID-19 restrictions, this...

Finance4 days ago

ARE FINANCIAL SERVICES COMPANIES RISKING THE CONSEQUENCES OF A DATA BREACH?

By Andrew Fitzgerald sales director for Western Europe and Sub-Saharan Africa – Cohesity   Financial services companies need to be doing data...

Business4 days ago

COVID-19 HAS MADE PERSONALISATION IN CUSTOMER COMMUNICATION MORE IMPORTANT THAN EVER

By James Hall, Commercial Director, Striata UK   When COVID-19 struck and countries around the world went into lockdown, the...

News4 days ago

CORE BANKING PROVIDER OHPEN APPOINTS DOUWE-KLAAS BIJL AS CFO AND BOARD MEMBER

Ohpen, the first fintech platform to bring a bank to the cloud, today announces the appointment of Douwe-Klaas Bijl as its new CFO. Joining...

Business4 days ago

HOW BUSINESSES CAN USE THE CHANGING LANDSCAPE TO AUTOMATE.

By Paul McFadyen, Managing Director of metals4U    The Coronavirus pandemic has dominated our global markets for the first half of...

News4 days ago

ABBYY DIGITAL INTELLIGENCE SELECTED BY PARAGON CUSTOMER COMMUNICATIONS TO DRIVE DIGITAL TRANSFORMATION

ABBYY, a digital intelligence company, has announced a collaboration with Paragon Customer Communications – the leading provider of insightful customer...

Wealth Management5 days ago

HOW THE DEMOCRATISATION OF TRADING AND INVESTING CAN HELP INVESTORS

By Oleg Giberstein, Coinrule   Not long ago, I attended an event in the City of London. Suave bankers had...

Business6 days ago

USING ANALYTICS TO CHEAT TO SECURE THE ONE RESOURCE THAT MONEY CAN’T BUY

By Avtar Dhillon, Director, Business Value Consulting, ThoughtSpot   “It’s not that we have little time, but more that we...

Technology6 days ago

THE IMPORTANCE OF CONTEXT IN PRACTICAL AI APPLICATIONS

By looking at a typical AI application, Dr John Yardley, CEO, Threads Software, discusses how AI processes must take account...

Top 106 days ago

FIVE THINGS EVERY PROCUREMENT PROFESSIONAL SHOULD KNOW BEFORE CHOOSING AN EPROCUREMENT SOLUTION

By Daniel Ball, Business Development Director at Wax Digital   Effective procurement is becoming increasingly important to most businesses. Ever...

Business6 days ago

HOW AUTOMATION HELPS CFOS DRIVE PROFITABILITY

By Vijay Kurkal, CEO at Resolve   The economic backlash of the pandemic has challenged organisations across sectors to bolster...

News6 days ago

FINANCE AND INSURANCE ORGANISATIONS’ COMPLIANCE AND PROTECTION FAIL TO KEEP PACE WITH CLOUD TRANSFORMATION, VERITAS RESEARCH SHOWS

12% increase in businesses prioritising cloud since COVID-19 Two-thirds of organisations unlikely to move all data to the public cloud...

News6 days ago

EMVCO LAUNCHES EVALUATION PROGRAMME TO SUPPORT CONTACTLESS PAYMENT ACCEPTANCE ON CONSUMER MOBILE DEVICES

EMVCo Responds to Industry Need with New Early Adopter Programme for Vendors to Submit COTS Devices for Functional Evaluation Against...

Banking6 days ago

WILL COVID-19 ACCELERATE THE TRANSITION TO BANKING ALTERNATIVES

Gael Itier – CEO & Founder at Akt   What will the world look like once the pandemic is over?...

Trending