Abstract image of a woman sitting on books and studying on a laptop

API Security Webinar : Credential Stuffing

DevOps Indonesia, profile picture
DevOps Indonesia

Credential stuffing involves using breached username and password pairs from one site to attempt to log in to other sites where users may have reused passwords. It occurs in four main steps: 1) obtaining credentials from data breaches, 2) automating the login process without human interaction, 3) defeating any login defenses, and 4) distributing the process globally through botnets and cloud hosting. While two-factor authentication prevents account takeovers, credential stuffing can still reveal valid user accounts. Users and organizations are encouraged to take steps like using unique passwords, password managers, and two-factor authentication to help mitigate credential stuffing risks.

Travel
1 of 18
Download to read offline
1
2
Most read
3
Most read
4
Most read
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| ©2021 F5 NETWORKS 1 June 2021 Alexander Marcel Credential Stuffing
“Credential Stuffing is super effective because it takes advantage of human behavior where majority is using same password for multiple services” CREDENTIAL STUFFING cre.den.tial stuff.ing The replay of a breached username/password pairs across sites to find accounts where passwords have been reused.
| ©2021 F5 NETWORKS 3 Confidential / / Part of F5 Get Credentials Automate Login Distribute Globally Defeat Automation Defenses (if any) 1 2 3 CREDENTIAL STUFFING 4 cre.den.tial stuff.ing The replay of a breached username/password pairs across sites to find accounts where passwords have been reused. STEPS OF CREDENTIAL STUFFING
CREDENTIAL STUFFING Step 1 Get Credentials
CREDENTIAL STUFFING Step 2 Automate Login No user interaction No device or browser spoofing Poor device/browser spoofing Excellent device/browser spoofing
CREDENTIAL STUFFING Step 2 Automate Login * No programming skills required. Create script in visual constructor.
CREDENTIAL STUFFING Step 2 Automate Login
| ©2021 F5 NETWORKS 8 Confidential / / Part of F5 CREDENTIAL STUFFING Step 3 Defeat Defenses (if any)
CREDENTIAL STUFFING Step 3 Defeat Defenses (if any)
CREDENTIAL STUFFING Step 3 Defeat Defenses (if any)
CREDENTIAL STUFFING Step 3 Defeat Defenses (if any)
CREDENTIAL STUFFING Step 3 Defeat Defenses (if any) What about 2FA ? 2FA does not stop Credential Stuffing 2FA stops automated account takeovers. The point of credential stuffing is to find valid accounts. Credential stuffing, even with 2FA, still results in valid accounts.
CREDENTIAL STUFFING Step 3 Defeat Defenses (if any) How can attacker bypass 2FA ? 1. Social Engineering 2. Phising (RTPP) 3. Sim Swapping 4. etc.. 472618
CREDENTIAL STUFFING Step 4 Distribute Globally
| ©2021 F5 NETWORKS 15 Attack Kill Chain Stolen credentials Botnets,cloud hosting,proxies Loginbehavior simulationtools CAPTCHAsolving tools starting: $0 $2 per 1000 IPs $50 per site config $1.39 per 1000 Because resources are cheap and widely available, it can cost just $200 to takeover 1000 accounts via credential stuffing.
CREDENTIAL STUFFING Call To Action for All Users 1. haveibeenpwned.com 2. Make your passwords unique 3. Use password manager 4. Enable 2FA 5. Review your social media privacy setting and so on.. please check securitycheckli.st
CREDENTIAL STUFFING Call To Action for IT Security & Anti Fraud Team alexander.marcel@f5.com
| ©2021 F5 NETWORKS 18 Thank You & Stay Healthy

More Related Content

PDF
State of Web Security RailsConf 2016
IMMUNIO
 
PPTX
The Quiet Rise of Account Takeover
IMMUNIO
 
PPTX
Two Step Authentication - Chris La Nauze WordPress meetup presentation
Chris La Nauze
 
PPT
Phishing with Super Bait
Jeremiah Grossman
 
PDF
Esoteric xss payloads
Riyaz Walikar
 
PPTX
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
PDF
Penetration Testing Analysis of The Shop (Test Environment)
Gavin Wiener
 
PPT
Joe CFO for CiscoLive Berlin 2016 Email and Web Security Presentation
Bruce Johnson
 
State of Web Security RailsConf 2016
IMMUNIO
 
The Quiet Rise of Account Takeover
IMMUNIO
 
Two Step Authentication - Chris La Nauze WordPress meetup presentation
Chris La Nauze
 
Phishing with Super Bait
Jeremiah Grossman
 
Esoteric xss payloads
Riyaz Walikar
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
Penetration Testing Analysis of The Shop (Test Environment)
Gavin Wiener
 
Joe CFO for CiscoLive Berlin 2016 Email and Web Security Presentation
Bruce Johnson
 

What's hot (6)

PPT
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
Russ McRee
 
ODP
Csrf not all defenses are created equal
Ari Elias-Bachrach
 
PPTX
Security with ColdFusion
isummation
 
PDF
How to get deeper administration insights into your tenant
Robert Crane
 
PDF
MID_Security_Connected_Jan_van_Vliet_EN
Vladyslav Radetsky
 
PDF
Atelier Technique - F5 - #ACSS2019
African Cyber Security Summit
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
Russ McRee
 
Csrf not all defenses are created equal
Ari Elias-Bachrach
 
Security with ColdFusion
isummation
 
How to get deeper administration insights into your tenant
Robert Crane
 
MID_Security_Connected_Jan_van_Vliet_EN
Vladyslav Radetsky
 
Atelier Technique - F5 - #ACSS2019
African Cyber Security Summit
 
Ad

Similar to API Security Webinar : Credential Stuffing (20)

PDF
The State of Credential Stuffing and the Future of Account Takeovers.
Jarrod Overson
 
PPTX
How websites are attacked
Mykonos Software
 
PDF
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
Identity Days
 
PPTX
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
Quek Lilian
 
PDF
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman
 
PDF
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer
 
PDF
O365Con19 - A Life Without Passwords Dream or Reality - Sander Berkouwer
NCCOMMS
 
PDF
CIS14: Authentication: Who are You? You are What You Eat
CloudIDSummit
 
PDF
CIS14: Authentication: Who are You? You are What You Eat
CloudIDSummit
 
PDF
Securely logging to Microsoft 365
Robert Crane
 
PDF
How to 2FA-enable Open Source Applications
All Things Open
 
PDF
How Credential Stuffing is Evolving - PasswordsCon 2019
Jarrod Overson
 
PDF
Leveraging the Cloud - Getting the Most Bang for your Buck ( presentation by ...
Cloudyn
 
PDF
Google & FIDO Authentication
FIDO Alliance
 
PDF
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET Journal
 
PDF
Automated Detection of Session Fixation Vulnerabilities
Yuji Kosuga
 
PPTX
Unlocking Security: A Comprehensive Guide to Password Vaulting
Bert Blevins
 
PDF
Web Application Security
Siarhei Barysiuk
 
PDF
Ghost in the Browser: Broad-Scale Espionage with Bitsquatting
Bishop Fox
 
PPTX
LIFT OFF 2017: Ransomware and IR Overview
Robert Herjavec
 
The State of Credential Stuffing and the Future of Account Takeovers.
Jarrod Overson
 
How websites are attacked
Mykonos Software
 
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
Identity Days
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
Quek Lilian
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer
 
O365Con19 - A Life Without Passwords Dream or Reality - Sander Berkouwer
NCCOMMS
 
CIS14: Authentication: Who are You? You are What You Eat
CloudIDSummit
 
CIS14: Authentication: Who are You? You are What You Eat
CloudIDSummit
 
Securely logging to Microsoft 365
Robert Crane
 
How to 2FA-enable Open Source Applications
All Things Open
 
How Credential Stuffing is Evolving - PasswordsCon 2019
Jarrod Overson
 
Leveraging the Cloud - Getting the Most Bang for your Buck ( presentation by ...
Cloudyn
 
Google & FIDO Authentication
FIDO Alliance
 
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET Journal
 
Automated Detection of Session Fixation Vulnerabilities
Yuji Kosuga
 
Unlocking Security: A Comprehensive Guide to Password Vaulting
Bert Blevins
 
Web Application Security
Siarhei Barysiuk
 
Ghost in the Browser: Broad-Scale Espionage with Bitsquatting
Bishop Fox
 
LIFT OFF 2017: Ransomware and IR Overview
Robert Herjavec
 
Ad

More from DevOps Indonesia (20)

PDF
DevSecOps Implementation Journey
DevOps Indonesia
 
PDF
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia
 
PDF
Securing an NGINX deployment for K8s
DevOps Indonesia
 
PDF
DevOps Indonesia Meetup #52 - announcement
DevOps Indonesia
 
PDF
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
DevOps Indonesia
 
PDF
Securing DevOps Lifecycle
DevOps Indonesia
 
PDF
DevOps Meetup 50 : Securing your Application - Announcement
DevOps Indonesia
 
PDF
Secure your Application with Google cloud armor
DevOps Indonesia
 
PDF
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Indonesia
 
PDF
Operate Containers with AWS Copilot
DevOps Indonesia
 
PDF
Continuously Deploy Your CDK Application by Petra novandi barus
DevOps Indonesia
 
PDF
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps Indonesia
 
PDF
Securing Your Database Dynamic DB Credentials
DevOps Indonesia
 
PDF
DevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia
 
PDF
The Death and Rise of Enterprise DevOps
DevOps Indonesia
 
PDF
API Security Webinar - Credential Stuffing
DevOps Indonesia
 
PDF
API Security Webinar - Security Guidelines for Providing and Consuming APIs
DevOps Indonesia
 
PDF
API Security Webinar - Hendra Tanto
DevOps Indonesia
 
PDF
API Security Webinar : Security Guidelines for Providing and Consuming APIs
DevOps Indonesia
 
PDF
Feature Scoring in Green Field Application Development and DevOps
DevOps Indonesia
 
DevSecOps Implementation Journey
DevOps Indonesia
 
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia
 
Securing an NGINX deployment for K8s
DevOps Indonesia
 
DevOps Indonesia Meetup #52 - announcement
DevOps Indonesia
 
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
DevOps Indonesia
 
Securing DevOps Lifecycle
DevOps Indonesia
 
DevOps Meetup 50 : Securing your Application - Announcement
DevOps Indonesia
 
Secure your Application with Google cloud armor
DevOps Indonesia
 
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Indonesia
 
Operate Containers with AWS Copilot
DevOps Indonesia
 
Continuously Deploy Your CDK Application by Petra novandi barus
DevOps Indonesia
 
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps Indonesia
 
Securing Your Database Dynamic DB Credentials
DevOps Indonesia
 
DevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia
 
The Death and Rise of Enterprise DevOps
DevOps Indonesia
 
API Security Webinar - Credential Stuffing
DevOps Indonesia
 
API Security Webinar - Security Guidelines for Providing and Consuming APIs
DevOps Indonesia
 
API Security Webinar - Hendra Tanto
DevOps Indonesia
 
API Security Webinar : Security Guidelines for Providing and Consuming APIs
DevOps Indonesia
 
Feature Scoring in Green Field Application Development and DevOps
DevOps Indonesia
 

Recently uploaded (20)

PPTX
Continents English presentation 2025.pptx
alessandraespinal21
 
PDF
canadatourpackages 10nights 11 days tour
vidhyaskyplanet
 
PDF
Raja Ampat: Fishopcalpse in the Last Paradise - PUBLISHED with DYK.net & DYK....
Lawrence Alex Wu
 
PPTX
On Safari in India in Search of the Bengal Tiger
India Safari
 
PPTX
Darjeelingallknowledgeableitemofsik.pptx
danvirkaran386
 
PDF
Dining Etiquette & Service Excellence Training part 2
FAROOQBACHA2
 
PDF
Giants of Betel Nut Island - KohMak - PUBLISHED with EZdive
Lawrence Alex Wu
 
DOCX
Everest Base Camp Trek in October: A Complete Guide
Glorious Himalaya Trekking Pvt Ltd
 
PDF
How Technology is Changing Transportation Services in India.pdf
Transporter in India
 
PPTX
Discover Brazil Your Ultimate Tour Package.pptx
Odysseytravels1
 
PDF
Best Traveling sites for Each types of Tours
AmazonPrivateLabel
 
PPTX
Mohammed Osman Ali Agricolus Presentation.ppt
9hs5p4586n
 
PDF
10 Common Mistakes to Avoid in Kumbh Tent Booking.pdf
EpicYatra
 
PDF
Planning Your First Kumbh Yatra? Here’s What You Need
EpicYatra
 
PDF
Attractions Management - Guest Services, Facility and Support Services.pdf
compassdave
 
PPTX
Manuel Antonio National Park – Explore with Mapache Tours
elenacruz9207
 
PDF
List of the World’s Highest Peak - Mount Everest
World Of Legacy
 
PDF
Bostons Best Unforgettable Attractions for Adults
Peter Flower
 
PPTX
sikkim.alalallsnndndnxnxnxnxndndjjdjjdpptx
danvirkaran386
 
PPTX
Smart Travel Solutions Delhi Airport to Chandigarh Taxi Service.pptx
CBitss Technologies
 
Continents English presentation 2025.pptx
alessandraespinal21
 
canadatourpackages 10nights 11 days tour
vidhyaskyplanet
 
Raja Ampat: Fishopcalpse in the Last Paradise - PUBLISHED with DYK.net & DYK....
Lawrence Alex Wu
 
On Safari in India in Search of the Bengal Tiger
India Safari
 
Darjeelingallknowledgeableitemofsik.pptx
danvirkaran386
 
Dining Etiquette & Service Excellence Training part 2
FAROOQBACHA2
 
Giants of Betel Nut Island - KohMak - PUBLISHED with EZdive
Lawrence Alex Wu
 
Everest Base Camp Trek in October: A Complete Guide
Glorious Himalaya Trekking Pvt Ltd
 
How Technology is Changing Transportation Services in India.pdf
Transporter in India
 
Discover Brazil Your Ultimate Tour Package.pptx
Odysseytravels1
 
Best Traveling sites for Each types of Tours
AmazonPrivateLabel
 
Mohammed Osman Ali Agricolus Presentation.ppt
9hs5p4586n
 
10 Common Mistakes to Avoid in Kumbh Tent Booking.pdf
EpicYatra
 
Planning Your First Kumbh Yatra? Here’s What You Need
EpicYatra
 
Attractions Management - Guest Services, Facility and Support Services.pdf
compassdave
 
Manuel Antonio National Park – Explore with Mapache Tours
elenacruz9207
 
List of the World’s Highest Peak - Mount Everest
World Of Legacy
 
Bostons Best Unforgettable Attractions for Adults
Peter Flower
 
sikkim.alalallsnndndnxnxnxnxndndjjdjjdpptx
danvirkaran386
 
Smart Travel Solutions Delhi Airport to Chandigarh Taxi Service.pptx
CBitss Technologies
 

API Security Webinar : Credential Stuffing

  • 1. | ©2021 F5 NETWORKS 1 June 2021 Alexander Marcel Credential Stuffing
  • 2. “Credential Stuffing is super effective because it takes advantage of human behavior where majority is using same password for multiple services” CREDENTIAL STUFFING cre.den.tial stuff.ing The replay of a breached username/password pairs across sites to find accounts where passwords have been reused.
  • 3. | ©2021 F5 NETWORKS 3 Confidential / / Part of F5 Get Credentials Automate Login Distribute Globally Defeat Automation Defenses (if any) 1 2 3 CREDENTIAL STUFFING 4 cre.den.tial stuff.ing The replay of a breached username/password pairs across sites to find accounts where passwords have been reused. STEPS OF CREDENTIAL STUFFING
  • 5. CREDENTIAL STUFFING Step 2 Automate Login No user interaction No device or browser spoofing Poor device/browser spoofing Excellent device/browser spoofing
  • 6. CREDENTIAL STUFFING Step 2 Automate Login * No programming skills required. Create script in visual constructor.
  • 8. | ©2021 F5 NETWORKS 8 Confidential / / Part of F5 CREDENTIAL STUFFING Step 3 Defeat Defenses (if any)
  • 12. CREDENTIAL STUFFING Step 3 Defeat Defenses (if any) What about 2FA ? 2FA does not stop Credential Stuffing 2FA stops automated account takeovers. The point of credential stuffing is to find valid accounts. Credential stuffing, even with 2FA, still results in valid accounts.
  • 13. CREDENTIAL STUFFING Step 3 Defeat Defenses (if any) How can attacker bypass 2FA ? 1. Social Engineering 2. Phising (RTPP) 3. Sim Swapping 4. etc.. 472618
  • 15. | ©2021 F5 NETWORKS 15 Attack Kill Chain Stolen credentials Botnets,cloud hosting,proxies Loginbehavior simulationtools CAPTCHAsolving tools starting: $0 $2 per 1000 IPs $50 per site config $1.39 per 1000 Because resources are cheap and widely available, it can cost just $200 to takeover 1000 accounts via credential stuffing.
  • 16. CREDENTIAL STUFFING Call To Action for All Users 1. haveibeenpwned.com 2. Make your passwords unique 3. Use password manager 4. Enable 2FA 5. Review your social media privacy setting and so on.. please check securitycheckli.st
  • 17. CREDENTIAL STUFFING Call To Action for IT Security & Anti Fraud Team [email protected]
  • 18. | ©2021 F5 NETWORKS 18 Thank You & Stay Healthy