DevOps Indonesia, profile picture
Uploaded byDevOps Indonesia
157 views

API Security Webinar : Credential Stuffing

Credential stuffing involves using breached username and password pairs from one site to attempt to log in to other sites where users may have reused passwords. It occurs in four main steps: 1) obtaining credentials from data breaches, 2) automating the login process without human interaction, 3) defeating any login defenses, and 4) distributing the process globally through botnets and cloud hosting. While two-factor authentication prevents account takeovers, credential stuffing can still reveal valid user accounts. Users and organizations are encouraged to take steps like using unique passwords, password managers, and two-factor authentication to help mitigate credential stuffing risks.

Travelâ—¦

Embed presentation

Download to read offline
| ©2021 F5 NETWORKS 1 June 2021 Alexander Marcel Credential Stuffing
“Credential Stuffing is super effective because it takes advantage of human behavior where majority is using same password for multiple services” CREDENTIAL STUFFING cre.den.tial stuff.ing The replay of a breached username/password pairs across sites to find accounts where passwords have been reused.
| ©2021 F5 NETWORKS 3 Confidential / / Part of F5 Get Credentials Automate Login Distribute Globally Defeat Automation Defenses (if any) 1 2 3 CREDENTIAL STUFFING 4 cre.den.tial stuff.ing The replay of a breached username/password pairs across sites to find accounts where passwords have been reused. STEPS OF CREDENTIAL STUFFING
CREDENTIAL STUFFING Step 1 Get Credentials
CREDENTIAL STUFFING Step 2 Automate Login No user interaction No device or browser spoofing Poor device/browser spoofing Excellent device/browser spoofing
CREDENTIAL STUFFING Step 2 Automate Login * No programming skills required. Create script in visual constructor.
CREDENTIAL STUFFING Step 2 Automate Login
| ©2021 F5 NETWORKS 8 Confidential / / Part of F5 CREDENTIAL STUFFING Step 3 Defeat Defenses (if any)
CREDENTIAL STUFFING Step 3 Defeat Defenses (if any)
CREDENTIAL STUFFING Step 3 Defeat Defenses (if any)
CREDENTIAL STUFFING Step 3 Defeat Defenses (if any)
CREDENTIAL STUFFING Step 3 Defeat Defenses (if any) What about 2FA ? 2FA does not stop Credential Stuffing 2FA stops automated account takeovers. The point of credential stuffing is to find valid accounts. Credential stuffing, even with 2FA, still results in valid accounts.
CREDENTIAL STUFFING Step 3 Defeat Defenses (if any) How can attacker bypass 2FA ? 1. Social Engineering 2. Phising (RTPP) 3. Sim Swapping 4. etc.. 472618
CREDENTIAL STUFFING Step 4 Distribute Globally
| ©2021 F5 NETWORKS 15 Attack Kill Chain Stolen credentials Botnets,cloud hosting,proxies Loginbehavior simulationtools CAPTCHAsolving tools starting: $0 $2 per 1000 IPs $50 per site config $1.39 per 1000 Because resources are cheap and widely available, it can cost just $200 to takeover 1000 accounts via credential stuffing.
CREDENTIAL STUFFING Call To Action for All Users 1. haveibeenpwned.com 2. Make your passwords unique 3. Use password manager 4. Enable 2FA 5. Review your social media privacy setting and so on.. please check securitycheckli.st
CREDENTIAL STUFFING Call To Action for IT Security & Anti Fraud Team alexander.marcel@f5.com
| ©2021 F5 NETWORKS 18 Thank You & Stay Healthy

More Related Content

PDF
State of Web Security RailsConf 2016
byIMMUNIO
 
PPTX
The Quiet Rise of Account Takeover
byIMMUNIO
 
PPTX
Two Step Authentication - Chris La Nauze WordPress meetup presentation
byChris La Nauze
 
PPT
Phishing with Super Bait
byJeremiah Grossman
 
PDF
Esoteric xss payloads
byRiyaz Walikar
 
PPTX
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
byAjin Abraham
 
PDF
Penetration Testing Analysis of The Shop (Test Environment)
byGavin Wiener
 
PPT
Joe CFO for CiscoLive Berlin 2016 Email and Web Security Presentation
byBruce Johnson
 
State of Web Security RailsConf 2016
byIMMUNIO
 
The Quiet Rise of Account Takeover
byIMMUNIO
 
Two Step Authentication - Chris La Nauze WordPress meetup presentation
byChris La Nauze
 
Phishing with Super Bait
byJeremiah Grossman
 
Esoteric xss payloads
byRiyaz Walikar
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
byAjin Abraham
 
Penetration Testing Analysis of The Shop (Test Environment)
byGavin Wiener
 
Joe CFO for CiscoLive Berlin 2016 Email and Web Security Presentation
byBruce Johnson
 

What's hot

PPT
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
byRuss McRee
 
ODP
Csrf not all defenses are created equal
byAri Elias-Bachrach
 
PPTX
Security with ColdFusion
byisummation
 
PDF
How to get deeper administration insights into your tenant
byRobert Crane
 
PDF
MID_Security_Connected_Jan_van_Vliet_EN
byVladyslav Radetsky
 
PDF
Atelier Technique - F5 - #ACSS2019
byAfrican Cyber Security Summit
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
byRuss McRee
 
Csrf not all defenses are created equal
byAri Elias-Bachrach
 
Security with ColdFusion
byisummation
 
How to get deeper administration insights into your tenant
byRobert Crane
 
MID_Security_Connected_Jan_van_Vliet_EN
byVladyslav Radetsky
 
Atelier Technique - F5 - #ACSS2019
byAfrican Cyber Security Summit
 

Similar to API Security Webinar : Credential Stuffing

PDF
How Credential Stuffing is Evolving - PasswordsCon 2019
byJarrod Overson
 
PDF
The State of Credential Stuffing and the Future of Account Takeovers.
byJarrod Overson
 
PDF
AppSecCali - How Credential Stuffing is Evolving
byJarrod Overson
 
PDF
Csrf
bysamtpru
 
PDF
How LoginRadius Helps Media Companies Prevent Credential Cracking
byKevin Mathew
 
PPTX
HackCon - SPF
byAdam Compton
 
How Credential Stuffing is Evolving - PasswordsCon 2019
byJarrod Overson
 
The State of Credential Stuffing and the Future of Account Takeovers.
byJarrod Overson
 
AppSecCali - How Credential Stuffing is Evolving
byJarrod Overson
 
Csrf
bysamtpru
 
How LoginRadius Helps Media Companies Prevent Credential Cracking
byKevin Mathew
 
HackCon - SPF
byAdam Compton
 

More from DevOps Indonesia

PDF
DevSecOps Implementation Journey
byDevOps Indonesia
 
PDF
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
byDevOps Indonesia
 
PDF
Securing an NGINX deployment for K8s
byDevOps Indonesia
 
PDF
DevOps Indonesia Meetup #52 - announcement
byDevOps Indonesia
 
PDF
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
byDevOps Indonesia
 
PDF
Securing DevOps Lifecycle
byDevOps Indonesia
 
PDF
DevOps Meetup 50 : Securing your Application - Announcement
byDevOps Indonesia
 
PDF
Secure your Application with Google cloud armor
byDevOps Indonesia
 
PDF
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
byDevOps Indonesia
 
PDF
Operate Containers with AWS Copilot
byDevOps Indonesia
 
PDF
Continuously Deploy Your CDK Application by Petra novandi barus
byDevOps Indonesia
 
PDF
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
byDevOps Indonesia
 
PDF
Securing Your Database Dynamic DB Credentials
byDevOps Indonesia
 
PDF
DevOps Indonesia (online) meetup 45 - Announcement
byDevOps Indonesia
 
PDF
The Death and Rise of Enterprise DevOps
byDevOps Indonesia
 
PDF
API Security Webinar - Credential Stuffing
byDevOps Indonesia
 
PDF
API Security Webinar - Security Guidelines for Providing and Consuming APIs
byDevOps Indonesia
 
PDF
API Security Webinar - Hendra Tanto
byDevOps Indonesia
 
PDF
API Security Webinar : Security Guidelines for Providing and Consuming APIs
byDevOps Indonesia
 
PDF
Feature Scoring in Green Field Application Development and DevOps
byDevOps Indonesia
 
DevSecOps Implementation Journey
byDevOps Indonesia
 
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
byDevOps Indonesia
 
Securing an NGINX deployment for K8s
byDevOps Indonesia
 
DevOps Indonesia Meetup #52 - announcement
byDevOps Indonesia
 
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
byDevOps Indonesia
 
Securing DevOps Lifecycle
byDevOps Indonesia
 
DevOps Meetup 50 : Securing your Application - Announcement
byDevOps Indonesia
 
Secure your Application with Google cloud armor
byDevOps Indonesia
 
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
byDevOps Indonesia
 
Operate Containers with AWS Copilot
byDevOps Indonesia
 
Continuously Deploy Your CDK Application by Petra novandi barus
byDevOps Indonesia
 
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
byDevOps Indonesia
 
Securing Your Database Dynamic DB Credentials
byDevOps Indonesia
 
DevOps Indonesia (online) meetup 45 - Announcement
byDevOps Indonesia
 
The Death and Rise of Enterprise DevOps
byDevOps Indonesia
 
API Security Webinar - Credential Stuffing
byDevOps Indonesia
 
API Security Webinar - Security Guidelines for Providing and Consuming APIs
byDevOps Indonesia
 
API Security Webinar - Hendra Tanto
byDevOps Indonesia
 
API Security Webinar : Security Guidelines for Providing and Consuming APIs
byDevOps Indonesia
 
Feature Scoring in Green Field Application Development and DevOps
byDevOps Indonesia
 

API Security Webinar : Credential Stuffing

  • 1.
    | ©2021 F5NETWORKS 1 June 2021 Alexander Marcel Credential Stuffing
  • 2.
    “Credential Stuffing issuper effective because it takes advantage of human behavior where majority is using same password for multiple services” CREDENTIAL STUFFING cre.den.tial stuff.ing The replay of a breached username/password pairs across sites to find accounts where passwords have been reused.
  • 3.
    | ©2021 F5NETWORKS 3 Confidential / / Part of F5 Get Credentials Automate Login Distribute Globally Defeat Automation Defenses (if any) 1 2 3 CREDENTIAL STUFFING 4 cre.den.tial stuff.ing The replay of a breached username/password pairs across sites to find accounts where passwords have been reused. STEPS OF CREDENTIAL STUFFING
  • 4.
  • 5.
    CREDENTIAL STUFFING Step 2 AutomateLogin No user interaction No device or browser spoofing Poor device/browser spoofing Excellent device/browser spoofing
  • 6.
    CREDENTIAL STUFFING Step 2 AutomateLogin * No programming skills required. Create script in visual constructor.
  • 7.
  • 8.
    | ©2021 F5NETWORKS 8 Confidential / / Part of F5 CREDENTIAL STUFFING Step 3 Defeat Defenses (if any)
  • 9.
  • 10.
  • 11.
  • 12.
    CREDENTIAL STUFFING Step 3 DefeatDefenses (if any) What about 2FA ? 2FA does not stop Credential Stuffing 2FA stops automated account takeovers. The point of credential stuffing is to find valid accounts. Credential stuffing, even with 2FA, still results in valid accounts.
  • 13.
    CREDENTIAL STUFFING Step 3 DefeatDefenses (if any) How can attacker bypass 2FA ? 1. Social Engineering 2. Phising (RTPP) 3. Sim Swapping 4. etc.. 472618
  • 14.
  • 15.
    | ©2021 F5NETWORKS 15 Attack Kill Chain Stolen credentials Botnets,cloud hosting,proxies Loginbehavior simulationtools CAPTCHAsolving tools starting: $0 $2 per 1000 IPs $50 per site config $1.39 per 1000 Because resources are cheap and widely available, it can cost just $200 to takeover 1000 accounts via credential stuffing.
  • 16.
    CREDENTIAL STUFFING Call ToAction for All Users 1. haveibeenpwned.com 2. Make your passwords unique 3. Use password manager 4. Enable 2FA 5. Review your social media privacy setting and so on.. please check securitycheckli.st
  • 17.
    CREDENTIAL STUFFING Call ToAction for IT Security & Anti Fraud Team alexander.marcel@f5.com
  • 18.
    | ©2021 F5NETWORKS 18 Thank You & Stay Healthy