State Farm attack highlights account takeover and credential stuffing risks

State Farm attack highlights account takeover and credential stuffing risks

Security news this week highlighted the discovery of a credential stuffing attack against State Farm Insurance. According to a document posted online, it appears that the organization is currently notifying its customers following the discovery of an attack in July 2019.

Credential stuffing is becoming a new normal

Credential stuffing is a method used to perform an attack known as an Account Takeover or ATO for short. ATO attacks happen when a malicious entity attempts to use stolen credentials, often obtained from the dark web, to log into a website and takeover a customer’s user account on the site. Gaming websites are popular targets for ATO attacks as virtual currency can be stolen and resold on other marketplaces. However, large enterprise companies and financial institutions have become targets in recent years and with five new breaches a day, it’s unlikely that cyber attacks of this breed will be slowing down. 

The website estimates that over 8.3 billion website accounts have been compromised. There are many credential lists available online from various data breaches and criminals can use to perform automated login attempts against websites. 

State Farm attack notice

In its notice to customers, State Farm says that it has reset the password of affected accounts, while emphasizing to users that if they have reused this password across multiple sites — these accounts will now potentially be vulnerable to account takeover attacks.

How to protect your web app against ATO attacks

The only real way for your users to protect themselves against ATO attacks is to avoid reusing passwords. As a web app owner, however, it is important to realize that users often need to be protected from themselves. The reality is that people will reuse credentials, and in turn, these credentials will at some point or another, be stolen. With this in mind, organizations should be mindful about taking steps to prevent credential stuffing and account takeover attacks.

Credential stuffing is the threat to your business you can't afford to ignoreRelated Blog

ATO attacks are often engineered using individual bots or large bot networks, so  a bot management solution should now be an essential part of every web application security strategy. Credential stuffing bots are often sophisticated bots, meaning they simulate legitimate human interaction in order to avoid detection. These bad bots are difficult to detect from server traffic analysis and require more advanced techniques, such as real-time browser forensics and enhanced fingerprinting, in order to ensure that attacks are blocked.

While multi-factor authentication is another method that can go a long way, it has proved difficult to implement. Consumers often find multi-factor authentication to be a pain to the overall usability and workflow of using a web app, so they are slow to adopt it — often refusing to use it at all. In addition, this is a behavior-based solution, which does nothing to alert security teams or proactively take action in the event of an attack. 

ATO protection requires multiple preventative steps

Using stolen credentials is still the number one way for criminals to gain access to accounts or corporate networks. While behavior-based solutions like multi-factor authentication or stronger password behavior help, it’s also imperative for businesses to employ other solutions to stop account takeovers and detect credential stuffing. 

Instart’s bot management technology uses a unique element called the Nanovisor — a small, lightweight piece of JavaScript code which is sent down along with regular website code to a customer’s browser. This JavaScript provides sensors which interrogate the browser and provide data back allowing advanced algorithms to determine if the traffic source is legitimate or automated. When sophisticated bots are detected, they can be blocked, but also fingerprinted for blacklisting purposes.

With strong protection against bots, organizations can prevent credential stuffing against their website and stop ATO attacks before they begin.

Instart helps to fully protect your brand from the latest malicious threatsRequest a demo