Connect with us

Technology

HOW TO PREVENT CREDENTIAL STUFFING ATTACK

Published

on

Credential stuffing is a type of brute force attack where the attacker uses an already available credential (i.e. stolen) on another website/system as a login attempt.

For example, a hacker may gain a password-username pair of a Facebook account and then attempts to use the same credential to log in on Gmail or Instagram. The basic premise behind credential stuffing attacks is fairly simple: most people have the tendency of using the same pair of password and username on all of their accounts, and the attacker simply exploits this fact.

Many lists of stolen credentials are now sold and even shared publicly on the internet, and as a result of this phenomenon, credential stuffing attacks have risen in popularity for the past few years.

In this guide, we will discuss how we can effectively prevent credential stuffing attacks and how to protect our account, website, and system from this scary version of brute force attacks.

 

1. Strong and Unique Passwords

The best and most effective approach in preventing credential stuffing attacks is to require the practice of using strong passwords to be mandatory, and advising your users to use unique passwords (i.e. one password for one account only).

As a general rule of thumb, a strong password is 10-characters long and should feature a combination of uppercase letters, lowercase letters, symbols, and numbers. You can also use various password randomizer and password manager solutions to create really strong, randomized passwords (which will also help in using unique passwords for different accounts.)

 

Mike

2. Multi-Factor Authentication

The idea of multi-factor authentication (MFA) or 2-factor authentication (2FA) is to ask for additional (or more) information besides the username-password combination before someone can access the account. So, in the event of a credential stuffing attack, an attacker won’t gain access even if they possess the right credential.

This secondary information can be:

  • Something you have: a USB dongle, etc.
  • Something you know: a secondary password, PIN, OTA code, etc.
  • Something you are: fingerprint, iris, face ID, etc.

MFA is very effective in stopping credential stuffing and brute force attacks in general. However, requiring too many MFA requests can significantly ruin your site’s user experience (UX) and might increase the bounce rate.

Finding the right balance between security and usability is also very important, so you can strategically require MFA only on certain suspicious conditions, for example:

  • Different browser/device/IP address or other signature
  • Login attempt from unusual location or countries that are considered suspicious
  • Blacklisted IP address, IP address that has tried to log in to multiple accounts
  • Obvious bot/scripted activities

 

3. CAPTCHA

Since many credential stuffing and brute force attacks are performed by automated scripts (bots), implementing CAPTCHA can help in blocking these bots in performing their task. However, CAPTCHA is one a one-size-fits-all answer for credential stuffing attack for two reasons:

  1. There are now CAPTCHA farm services where a human worker will solve the CAPTCHA before passing it to the bot, rendering CAPTCHA useless.
  2. Similar to MFA, CAPTCHA can ruin user experience, so it’s very important to use them sparingly.

In general, use CAPTCHA only in specific, strategic scenarios, and you can combine it with other techniques.

 

4. Notify Users About Unusual Activities

Many people don’t realize when their credentials have been stolen, so it may be appropriate to notify or warn the user when suspicious activities are detected.

However, don’t overwhelm users with too many notifications and only send appropriate/important ones. Or else, the user might just ignore or delete the notification, making this approach counterproductive.

For example, if there had been a successful login but it failed the MFA check, then the user should be notified so they can change the password immediately.

It’s also important for your users to be able to view details related to recent logins (date, time, and location). Also, if the application allows simultaneous sessions, the user should be able to view a list of all active sessions and to terminate any other sessions they deem suspicious.

 

5. Fingerprinting

The basic approach in preventing credential stuffing attack is to blacklist IP addresses and/or a range of IPs after a certain number of failed login attempts. However, sophisticated bots can now rotate between thousands of IP addresses, so IP-based detection might not be very effective.

So, we can also fingerprint other factors to determine whether the traffic is a legitimate user, like browser, device signature, operating system, the language used, and more. There are various fingerprinting-based solutions you can use for this method.

The idea is, if the new traffic doesn’t match the user’s previous signatures,  you can ask this client for additional authentication (MFA, CAPTCHA, or others). Keep in mind, however, that a user might share the account with their friends or family members, so implement this method strategically.

In combination with fingerprinting, we can also configure alerts on the login success ratio of suspicious users. For example, a login success rate below 10% is very suspicious, and credential stuffers can reach a close to 0% success rate. Tracking login success ratios can be very effective in detecting credential stuffing attacks.

 

6. Investing In a Bot Detection Solution

One of the most effective approaches in preventing credential stuffing attacks is to use an advanced account takeover protection solution that can effectively detect and block malicious bot traffic attempting the attack in real-time.

Since both bots and humans now use the same browsers and IP addresses, real-time and automated credential stuffing protection is now necessary. Humans can no longer act fast enough to match the bot activities, and this is where AI-powered, machine learning bot detection solutions can be very effective in preventing credential stuffing attacks.

 

End Words

While there is no perfect method that can 100% prevent credential stuffing attacks, the 6 methods we have discussed above are among the most effective in identifying, preventing, and mitigating the effects of potential credential stuffing.

The most effective approach, however, is to have an effective bot detection and mitigation solution that can detect the credential stuffing attempt in real-time. Solutions like DataDome offer a comprehensive bot detection solution that deploys in minutes on any infrastructure, fully automated.

Business

Green growth: The unstoppable rise of climate technology investment

Published

on

By

With the investment community focusing more and more on renewable technologies, investor interest is at an all-time high. Ian Thomas, managing director, Turquoise, reviews the current investment landscape and highlights the opportunities for investors keen to capitalise on this growing trend.

Green, or climate, finance is a label for providers of finance who are supporting investments seeking positive environmental impact. The label covers investments in green infrastructure, venture capital investment in clean technologies and renewable energy. Green finance has grown by leaps and bounds in recent years, supporting public wellbeing and social equity while reducing environmental risks and improving ecological integrity.

Worldwide, energy investment is forecast to increase by 8% in 2022 to $2.4 trillion, according to a new report by the International Energy Agency, with the expected rise coming mostly from clean energy – $1.4 trillion in total. To put this rocketing figure into some perspective, clean energy investment only rose by 2% annually in the five years following the signing of the Paris Agreement in 2015. Energy transition investment has some way to go, however – between 2022 and 2025, to get on track for global net zero, it must rise by three times the current amount to average $2,063 billion. [1]

Turquoise has been active for almost 20 years as a venture capital investor and adviser to companies in the climate technology space that are raising capital and/or selling their business to a strategic acquirer. Reviewing current industry investment news, as well as drawing on examples from the portfolio of Low Carbon Innovation Fund 2 (LCIF2), managed by Turquoise, I have commented below the latest on the renewable energy trends most piquing investor interest.

 

Solar PV

Renewable power is leading the charge when it comes to investment, with wind energy and solar PV emerging as the cheapest option for new power generation across many countries, and now accounting for more than 80% of total power sector investment. Solar power is responsible for half of new investment in renewable power, with spending divided roughly equally between utility scale projects and distributed solar PV systems.

This huge increase in solar spending, which continues in spite of supply chain issues affecting raw material delivery, has been driven by Asia, largely China (BloombergNEF, 2022). Meanwhile, Europe is re-doubling its efforts to achieve an energy transition away from Russian gas and other fossil fuels, building on investment that was already rising steadily prior to the outbreak of war in Ukraine. Germany, the UK, France and Spain all exceeded $10 billion on low-carbon spending in 2021.[2]

 

Wind

Last year was a record year for offshore wind deployment with more than 20GW commissioned, accounting for approximately $40 billion in investment. The first half of 2022 saw $32 billion invested in offshore wind, 52% more than in the same period in 2021 (BloombergNEF, 2022). Taking into account also onshore wind, in 2021 investment was spearheaded by China, followed by the US and Brazil.[3]

In the UK, suggested targets include plans to host 50GW of offshore wind capacity, as well as 10GW of green and blue hydrogen production, by 2030. Investors will naturally be encouraged by proposals to simplify the planning process across the board for renewable projects.[4] France and Germany have also increased their offshore wind targets, signalling further support for investment.

 

Decarbonising housing: the business opportunity

The need to decarbonise residential housing, made all the more urgent by current energy prices, also offers substantial scope for investment. The gas price spike is naturally increasing interest in technology such as electric heat pumps, which had already enjoyed 15% growth in 2021 albeit from a very low base.

Recently, Turquoise announced an investment by Low Carbon Innovation Fund 2 (LCIF2) in Switchd, which operates MakeMyHouseGreen, a data-driven platform that allows homeowners to source and install domestic renewable energy generation, including solar panels and battery storage with other energy saving products in the pipeline. The investment will enable Switchd to roll out the MakeMyHouseGreen platform to a much larger number of customers. The latest episode of the Talks with Turquoise podcast series saw us interview Switchd co-founder Llewellyn Kinch about the UK energy market and national transition to decarbonisation, covering the rise of residential renewable energy and energy efficiency.

 

Adapting to the low-carbon economy

Meanwhile, investors should not forget opportunities on the other side of the energy market. Renewables are undoubtedly exciting investors, but there are also opportunities for fossil fuel companies to adapt their business models to the low-carbon economy. Turquoise advised GT Energy, a portfolio company from our first fund that develops deep geothermal heat projects, on its sale to IGas Energy, a leading UK onshore oil & gas producer. Under IGas ownership, GT Energy will progress its flagship 14MW project to supply zero-carbon heat to the city of Stoke-on-Trent through a council-owned district heating network.

 

A broad investment landscape

Forecasts show that renewables will increase to 60% of power generation in Europe by 2030, and 40% in the US and China by the same date.[5] As demand rises for climate technology, the investment opportunities in green finance are far broader than they ever have been. Undoubtedly, as the energy crisis continues, investor interest will continue to soar to even greater heights.

[1] https://www.iea.org/news/record-clean-energy-spending-is-set-to-help-global-energy-investment-grow-by-8-in-2022
[2] https://ihsmarkit.com/research-analysis/global-power-and-renewables-research-highlights-july-2022.html
[3] https://dialogochino.net/en/uncategorised/56938-global-wind-energy-council-vice-chair-brazil-offshore-wind-accelerating-2/
[4] https://www.edie.net/uks-clean-energy-investment-ranking-rises-after-government-sets-95-low-carbon-electricity-target-for-2030/
[5] https://www.spglobal.com/en/research-insights/featured/energy-transition-renewables-remain-the-cornerstone-of-future-power-generation

Continue Reading

Business

A Culture of Cyber Security Throughout Financial Services Organisations

Published

on

By

Michael Cantor, CIO, Park Place Technologies

Financial Services organisations have long been a top target for cyber-attacks given both the nature of their financial transactions and the sensitivity of the data being held and processed. It is not just the digital transactions themselves that entice cyber criminals to regularly try and breach existing security protocols. Financial Services’ organisations hold full Personally Identifiable Information (PII) data sets of customers, including home addresses, social security numbers, banking details, transaction history, phone numbers, email addresses, and income information.

When breaches occur with this level of dependency information, cyber criminals can go on to easily access accounts, copy payment cards and make fraudulent purchases. Unsurprisingly, breaches are incredibly bad news and high impact in this sector as they undermine customer confidence, create large compensation cases, and regularly cause large fines for non-compliancy of data protection regulations (GDPR).

CISOs and Risk Managers

Creation of a complete culture of cyber security that spans right across financial establishments has therefore been a high priority for CISOs and Risk Managers in the finance arena, who find themselves at the forefront of the fight to engineer, foster and encourage a culture of pervasive cyber security awareness. These financial CISOs are the risk management

Michael Cantor

professionals who live and breathe with the knowledge that any lapse by any employee can leave the entire organization exposed and vulnerable, and who understand the importance and safety that adherence to a detailed cyber security plan, unique to their organization, brings. Financial establishments and financial services have, more than any other sector, seen heightened advances in digital innovations through internet banking, mobile apps, and instant payments – and all occurring within a relatively short timescale.  Such fast adoption of new technology platforms can cause a perfect storm of vulnerabilities largely through lack of familiarity, potentially increasing the finance industry’s attack vector.

Given the scope of the threat, no one CISO or group of cyber security specialists can be completely responsible for stemming attacks or changing employee behaviours. The requirement to create a pervasive culture of accountability for cyber security in finance has never been more critical with such a surge in digital innovation. Some CISOs struggle to gain immediate internal acceptance of cyber initiatives as they invariably increase extra security processes or in more extreme scenarios, can initially decrease productivity levels as users grapple with additional layers and verifications. Instead, CISOs should embark on a graduated path of security sensitivities. There are three routes in this journey that CISOs need to develop.

Understanding Roles

First, if they are to successfully increase defences, CISOs need to fully understand roles and processes in the existing regime to understand why and when job functions rely on systems that could pose and increase vulnerabilities. Secondly, as with all successful change, CISOs should spend the first months of cyber change initiatives on the ground, familiarising themselves with workflows and identifying suitable departmental ‘champions’ who can act as envoys or ambassadors. They will become practical flag bearers for ongoing change who will be on-point for communications for threat handling and remediation. These departmental cyber champions will also field questions and interactions about cyber concerns, as you would with a local Health and Safety Officer. Creating any true culture change needs to facilitate two-way communications from day one and needs to embrace everyone, so selecting the right team is essential. Recognised accredited cyber training relevant to the expected outcomes of a cyber ambassador is critical here as responsibilities move outside of IT. Not only does individualised cyber training bring empowerment and extra capabilities internally, but it leads to personal recognition that reflects positively on future career opportunities.

Once a thorough understanding and a development of a network of cyber ambassadors has occurred, CISOs need to quickly move to developing extra employee security practices and providing direction on ongoing cadences. But these new or enhanced security prevention measures invariably add to the time that it takes for employees to finish jobs. Collective attitudes towards prioritising cyber – and by extension, creating a cyber culture – can only be changed by first educating employees on the importance and rationale in changing behaviours or methods of completing a task. This education process can take many forms, starting with various impacts via a series of simple simulated attacks that provide anonymised responses back to risk professionals to highlight gaps in knowledge and provide early indicators on how easily breaches can occur and how fast new cyber processes can be adopted. Additionally, real world documented examples are often used to show how breaches have been catastrophic in similar sized organisations. Ongoing interactive education is key to building a continued culture of security. Education and learnings on the impact of the breach ramifications – from board level to new recruits – is essential, at all times building cyber security as an enabler rather than another workflow process to achieve. Successful financial companies who avoid security breaches on an ongoing basis additionally bring the importance of cyber security into annual employee reviews, keeping it top of mind and primary to employees’ performance (and renumeration). HR therefore also play a key part determining a blame-free, but responsible and empowering security culture.

Empowering Employees

Establishing a culture means by its very nature, that all are driving towards the same goal. That means gentle, but constant re-enforcement. And here’s where the third part of cyber empowerment needs a careful balance to avoid falling into negative scare tactics or blame. Financial CISOs, for their part, need to at all times, empower employees with the right tools and resources to intelligently identify, question and report suspected attacks. They also need to deploy easy to use, reliable preventative tools such as password managers and dependable email security software, while not neglecting their own role in the ongoing monitoring of asset discovery to see which assets and software are lurking in the infrastructure (or may have been recently added to the infrastructure). Endpoint security, especially in hybrid environments, is more important than ever in these environments.

Once a culture exists internally, next, CISO attention must turn towards suppliers and partners who themselves can create an entry point for breach. This can be achieved by clearly setting the organisations cyber security expectations up front and asking suppliers to prove compliance and adherence towards these standards, but within a reasonable, pre-agreed timeframe.

Creating this inherent cyber culture can only occur through ongoing education and training of employees on the ever-changing threat landscape and linking the importance and rationale to adopt best practices. To achieve an ongoing culture of acceptance, cyber security must clearly help employees get their jobs done so that being security conscious is a positive, ongoing experience for any financial services business.

Continue Reading

Magazine

Trending

Business10 hours ago

CBDCs: the key to transform cross-border payments

Dr. Ruth Wandhöfer, Board Director at RTGS.global   If you work in finance, you’ll have been hearing a lot about...

Business10 hours ago

Green growth: The unstoppable rise of climate technology investment

With the investment community focusing more and more on renewable technologies, investor interest is at an all-time high. Ian Thomas,...

Business10 hours ago

Bolstering know your customer processes as regulation tightens

Nick Payne, banking services, customer advisory, SAS UK & Ireland, discusses how new technologies allow financial services companies to develop rigorous KYC...

Finance11 hours ago

The penny has dropped – the finance sector needs Data Governance-as-a-Service

By Michael Queenan, Co-Founder and CEO at Nephos Technologies   In our data-driven world, the amount of data is growing...

Business11 hours ago

Seven tips for financial services brands using mail

By Cameron Russell, Head of Marketing at Marketreach   Customer experience (CX) is a powerful differentiator for modern brands. If...

Top 1011 hours ago

Turn the data landfill into an insight goldmine

Andrew Watson, CTO, MHR Today, businesses have access to a wealth of data, with vast amounts of information created daily....

Business12 hours ago

A Culture of Cyber Security Throughout Financial Services Organisations

Michael Cantor, CIO, Park Place Technologies Financial Services organisations have long been a top target for cyber-attacks given both the...

Business3 days ago

Financial Stability Board Gives Full Support to Wide LEI Use in Global Payments

Clare Rowley, Head of Business Operations at the Global Legal Entity Identifier Foundation The strongest recommendation yet by the Financial...

Business3 days ago

On-demand pay: why payroll needs a modern approach

Byline:  Paul Bartlett, CEO, CloudPay   While the world of work has evolved drastically over the last decade, payroll has...

Business3 days ago

 ‘What should real estate investors be doing now – has the market hit rock bottom or is now the time to buy?’

Following many years of housing prices soaring and competition steadily increasing, real estate growth has finally started to slow, likely...

Business4 days ago

Expert Guide for Email Marketing to Improving Your Conversion Rates

If you talk about email marketing campaigns, it would seem like an old-fashioned advertising style. But it is still an...

Banking6 days ago

Augmented automated underwriting and the evolution of the life insurance market

By Alby van Wyk, Chief Commercial Officer at Munich Re Automation Solutions   It’s almost inevitable. Spend your working life...

Banking1 week ago

ESG in the finance and banking industry – are you ready?

By Julian Moffett, CTO BFSI, EDB   Environmental, Social and Governance (ESG) has soared towards the top of banking, financial...

Top 101 week ago

An Entrepreneur’s Guide to Investing in Bitcoin

Marcus de Maria, Founder and Chairman of Investment Mastery.   Over recent years, Bitcoin has been steadily growing in popularity...

Business1 week ago

Overcoming macroeconomic challenges

By Mike Chambers, formerly CEO of Bacs and a consultant at Access PaySuite.   For businesses offering a subscription-based service, the...

Banking1 week ago

How unlocking the potential of tokenised markets can help banks keep pace with the digital economy

Giulia Secco is the Strategic Partnership & Ecosystem Manager at Fnality International.   In the aftermath of the 2008 financial...

Banking1 week ago

The role of Artificial intelligence in compliance at banks

Sujata Dasgupta, Global Head – Financial Crime Compliance Advisory, Tata Consultancy Services   There’s not a financial institution across the...

Technology1 week ago

Scaling securely in the automation-first era

By Brandon Traffanstedt, Sr. Director, Field Technology Office at CyberArk   Robotic process automation (RPA) has been one of the...

Business2 weeks ago

Putting technology to work on entrepreneur fund-raising

By Simon Glass, CEO, Qodeo   Human relationships are behind the most successful venture capital deals. The chemistry between an...

Finance2 weeks ago

Why leveraging strong identity verification is the key to remaining competitive for financial services

By Philipp Pointner, Chief of Digital Identity at Jumio   With the recent revelation that Facebook is allowing sales of...

Trending