The Challenges Of Defending Against Credential Stuffing — State Farm And More

The recent credential stuffing attack at State Farm highlights the necessity to protect your company’s business applications, whether they’re web, mobile or API-based.

EXPERTS COMMENTS
Jonathan Bensen, CISO,  Balbix
August 14, 2019
The key to thwarting future attacks like what State Farm has suffered is to leverage security tools that employ right AI and ML
Trends in the auto insurance industry in 2018 were good for State Farm as rates went up 5% industry-wide. This enabled the company to earn about $81.7 billion in revenue and maintain its position as the Fortune 36 organization. Unfortunately, with the news of this breach, the insurance giant’s customer trust and brand image will be significantly affected, and there are likely to be additional consequences from the Federal Trade Commission, once more details are revealed about the incident. Credential stuffing attacks are becoming a frequent threat as companies such as PCM, Sky and Dunkin’ Donuts have all learned this year. The fact is that the credential stuffing attacks are just one attack vector that the companies must be prepared to defend against. Organizations are tasked with the cumbersome burden of continuously monitoring all assets across hundreds of potential attack vectors to detect vulnerabilities. This involves analyzing tens of billions of time-varying data signals, a task that is not a human-scale problem anymore. The key to thwarting future attacks like what State Farm has suffered is to leverage security tools that employ right AI and ML techniques to observe and analyze these data points in real time and derive insights in order to prioritize the vulnerabilities that need to get fixed first, based on several global factors such as availability of exploit code, publicly available password information available from past breaches and environmental factors such as risk and business criticality, and mitigation controls in place. Proactively managing risk must become the new norm and is a requirement for successful cyber practice.
Ameya Talwalkar, Co-Founder and Chief Product Officer,  Cequence Security
August 13, 2019
Financial services, travel/hospitality, entertainment and insurance/healthcare companies are all subject to these attacks.
Credential stuffing attacks are indeed on the rise, but not just in the retail sector. Financial services, travel/hospitality, entertainment and insurance/healthcare companies are all subject to these attacks. Viewed from the attacker perspective, any company that has a public-facing application infrastructure where a user registers for an account that holds asset or information of value, is subject to credential stuffing, also known as account takeover attacks. Defending against these types of attacks present enterprises with three unique challenges. First, attackers will mask their identity and location using a distributed network of proxies, so transactions appear to be legitimate, coming from a range of IP addresses, which means that traditional known-bad prevention techniques cannot stop them. The appearance of legitimacy means organizations are reluctant to block them. The second challenge they face is the move towards a more rapid and iterative application development methodology, which means that the speed of deployment may move faster than security. If protecting the application requires instrumentation, or SDK modification, it may be bypassed for the sake of time-to-market. Lastly, attackers increasingly target application APIs directly, bypassing any front end forms along with any traditional security mechanisms. We believe protection from credential stuffing can be baked into your development workflow so that your web, mobile and API-based applications are protected, without adding validation and QA cycles, injecting delay into the deployment process.

Join the Conversation

Join the Conversation


In this article