Working for the industry leader in bot management can be pretty eye-opening. Every day, my company witnesses credential stuffing attack attempts levied against the largest websites in the world, and it gives me pause when I think about the number of bot attacks that digital businesses experience on a regular basis.
But the great thing about it is this: we at PerimeterX are in a great position to stop the cycle of credential stuffing and compromised credential use. Because we know what attacks are happening each day, we are able to see which credentials are being used in real-world attacks, in real time. And we can share that intelligence.
Leveraging a proprietary database of compromised credentials that is updated in real time, PerimeterX Credential Intelligence arms organizations with the knowledge they need to automatically recognize and stop an attacker from logging in, and mitigate the threat before fraud is committed.
Enabling a layered defense
My colleagues and I know firsthand that PerimeterX Bot Defender blocks bots with incredible accuracy, and we realized that it could also inform an additional layer of defense. And so, Credential Intelligence was born. Building on the insider knowledge of bot attacks that PerimeterX has, this new solution automatically stops the use of compromised credentials in real-time.
Credential Intelligence flags credentials that are actively in use by attackers in the real world, in real time. Monitoring dark web sources and attacks happening “in the wild,” it provides an early warning system that uses the most up-to-date information to stop fraud before it happens.
Our customers’ users and account holders trust that their data will be kept safe. Leaving your accounts vulnerable can damage consumer trust and lead to financial losses. By getting out ahead of the use of compromised credentials, you can avoid fraudulent logins, build brand loyalty and protect your customers’ identity and account information.
Traditional tools are not sufficient
As a self-proclaimed tech nerd, I’ve checked credentials on haveibeenpwned once or twice. I mostly use it to poke fun at my friends for their poor security practices — we all know someone who uses “Password123” as their email password. But when it comes to protecting your users’ accounts, those types of tools just don’t cut it.
Services like haveibeenpwned rely on static and old lists of known compromised usernames and passwords. With billions of stolen credentials to choose from, cybercriminals are likely to avoid using credentials on haveibeenpwned, in favor of unknown or zero-day compromised credentials. Static lists can’t keep up with real-time breaches enough to offer meaningful and complete information. Businesses need a solution that monitors real-world attacks as they happen and flags the credentials that attackers are using now, instead of what might have been compromised and used in the past.
Other validation techniques, such as CAPTCHAs or multifactor authentication (MFA) might weed out some credential-stuffing bots, but the friction they add to the customer journey drives abandonment and lowers the conversion rates of human customers. And while those tools test if you’re a bot and if you have the right credentials, they do not answer the more important questions: are you who you say you are, and are you doing what you should be doing?
Disrupting the attack lifecycle
A data breach lives forever. Every breach fuels the next generation of credential stuffing and account takeover attacks, which, in turn, fuel online fraud. Stolen credentials are easy to get and continuously reusable against a variety of sites, and there is a relatively low cost associated with this. A recent report found over 15 billion username and password combinations up for sale on the dark web, with some lists going for as little as $2.
Once fraudsters get their hands on valid credentials, they can take over accounts and commit all types of fraud. This includes making fraudulent purchases, transferring funds, emptying gift cards and opening new credit applications, to name a few examples. People use an average of six passwords across all their accounts, so even if a breach is mitigated at the source, the compromised credentials are likely still applicable elsewhere. In order to end the cycle, digital businesses must cut off unauthorized logins at the source.
By requiring additional detections on compromised credentials, you reduce the potential surface area for credential stuffing attacks. This threatens the very viability and economics of the attacks themselves. If credentials are put on the compromised list, they are no longer reusable. A previously recyclable resource turns into a single-use resource, which makes the attack unfeasible and unprofitable for the attacker and makes the attack surface smaller for the defending website.
Where blocking bots and compromised credentials meet
Now you might be thinking, “Why do I need Credential Intelligence when I’m already using Bot Defender?” Well, they solve different, but related challenges. Here’s the full explanation:
Bot Defender blocks credential stuffing attacks, thus preventing potential account takeovers. However, while blocking bots is critical and necessary, it doesn’t stop attackers from future attempts. The same list of credentials is still just as relevant, perhaps on a different site. And, since the attempts were blocked, the targeted site has no record of the credentials the attacker used, and no way to force password resets.
Credential Intelligence flips the script. Because it makes compromised credentials useless in the future, it disrupts the basic economic viability of credential stuffing attacks. Furthermore, once credentials are blocked for one PerimeterX customer, all customers get the benefit.
Bot Defender is an immediate and necessary solution against active credential stuffing attacks. Credential Intelligence is a strategic solution geared towards eliminating future credential stuffing attempts. Together, they form a layered defense that stops account fraud.
Want to find out if your users’ credentials have been compromised? Click here to book a demo of PerimeterX Credential Intelligence!