The Challenges Of Defending Against Credential Stuffing — State Farm And More

The recent credential stuffing attack at State Farm highlights the necessity to protect your company’s business applications, whether they’re web, mobile or API-based.

EXPERTS COMMENTS
Ameya Talwalkar, Co-Founder and Chief Product Officer,  Cequence Security
August 13, 2019
Financial services, travel/hospitality, entertainment and insurance/healthcare companies are all subject to these attacks.
Credential stuffing attacks are indeed on the rise, but not just in the retail sector. Financial services, travel/hospitality, entertainment and insurance/healthcare companies are all subject to these attacks. Viewed from the attacker perspective, any company that has a public-facing application infrastructure where a user registers for an account that holds asset or information of value, is subject to credential stuffing, also known as account takeover attacks. Defending against these types of attacks present enterprises with three unique challenges. First, attackers will mask their identity and location using a distributed network of proxies, so transactions appear to be legitimate, coming from a range of IP addresses, which means that traditional known-bad prevention techniques cannot stop them. The appearance of legitimacy means organizations are reluctant to block them. The second challenge they face is the move towards a more rapid and iterative application development methodology, which means that the speed of deployment may move faster than security. If protecting the application requires instrumentation, or SDK modification, it may be bypassed for the sake of time-to-market. Lastly, attackers increasingly target application APIs directly, bypassing any front end forms along with any traditional security mechanisms. We believe protection from credential stuffing can be baked into your development workflow so that your web, mobile and API-based applications are protected, without adding validation and QA cycles, injecting delay into the deployment process.

Join the Conversation

Join the Conversation


In this article