TRENDING credentials do not get changed by unassuming consumers and credential stuffing solutions are yet to be widely adopted by enterprises ,” said Sara Boddy , Senior Director of F5 Labs . “ It is not surprising that during this period of research , we saw a shift in the number one attack type from HTTP attacks to credential stuffing . This attack type has a long-term impact on the security of applications and is not going to change any time soon . If you are worried about getting hacked , it ’ s most likely going to occur from a credential stuffing attack .”
Attackers will continue to modify their attacks to fraud protection techniques , which is creating a strong need and opportunity for adaptive , AIpowered controls related to credential stuffing and fraud . It is impossible to instantaneously detect 100 % of the attacks . as though we are seeing a previously chaotic market stabilise as it reaches greater maturity .”
Growing attacker sophistication
Despite a growing consensus on industry best practices , one of the report ’ s key findings is that poor password storage remains a perennial problem .
Although most organisations do not disclose password hashing algorithms , F5 was able to study 90 specific incidents to give a sense of the most likely credential spill culprits .
Over the past three years , 42.6 % of the credential spills had no protection and the passwords were stored in plain text . This was followed by 20 % of credentials related to the password hashing algorithm SHA-1 that were ‘ unsalted ’ ( i . e . lacking a unique value that can be added to the end of the password to create a different hash value ). The ‘ salted ’ bcrypt algorithm was third with 16.7 %. Surprisingly , the widely discredited hashing algorithm , MD5 , accounted for a small proportion of spilled credentials even when the hashes were salted ( 0.4 %). MD5 has been considered weak and poor practice for decades , salted or not .
Sander Vinberg , Threat Research Evangelist at F5 Labs and Report Co-Author , urged organisations to remain vigilant .
“ While it is interesting that the overall volume and size of spilled credentials fell in 2020 , we should definitely not celebrate yet ,” Vinberg warned . “ Access attacks – including credential stuffing and phishing – are now the number one root cause of breaches .
“ It is highly unlikely that security teams are winning the war against data exfiltration and fraud , so it looks
Another notable observation in the report is that attackers are increasingly using ‘ fuzzing ’ techniques to optimise credential exploit success . Fuzzing is the process of finding security vulnerabilities in input-parsing code by repeatedly testing the parser with modified inputs . F5 found that most fuzzing attacks occurred prior to the public release of the compromised credentials , which suggests that the practice is more common among sophisticated attackers .
Spill detection
In the 2018 Credential Stuffing Report , F5 reported that it took an average of 15 months for a credential spill to become public knowledge . This has improved in the past three years . The average time to detect incidents , when both the incident date and the discovery date are known , is now around 11 months However , this number is skewed by a handful of incidents where the time to detect was three years or longer . The median time to detect incidents is 120 days . It is important to note that spills are often detected on the dark web before organisations disclose a breach .
The Dark Web in the spotlight
The announcement of a spill typically coincides with credentials appearing on Dark Web forums . For the 2020 Credentials Stuffing Report , F5 specifically analysed the crucial period between the theft of
26 INTELLIGENTCIO MIDDLE EAST www . intelligentcio . com