SPOOFING
Well just what is spoofing anyway? While spoofing can refer to impersonating any person, system or process, it very often manifests itself as a bad actor using stolen user credentials to access a system. It is much easier to access a system using actual user credentials than it would be to gain unauthenticated access.
Credential Stuffing
With the increasing complexity of passwords users are creating password that are difficult to brute force. For example a user may come up with a random string they can remember, such as:
f4T6*2jmB1($1
According to www.howsecureismypassword.net that particular complex password would take 3 million years to brute force. So a user can feel really good about that and as such just use that 1 ultra secure password everywhere, right?
That's a great strategy until 1 of the numerous sites that the password was used on is breached, and now your user ID and password is known by the bad actor. Running automated tools the same user ID and password is 'stuffed' into a huge number of websites hoping to find a match. For the bad actor the ideal match would be something like a banking or credit card web site, perhaps even a corporate system.
According to OWASP credential stuffing is one of the most common techniques for account spoofing, so that definitely means it is something to keep an eye on. OWASP does also suggest the use of multi-factor authentication as a preventative measure, and indeed MFA does solve many of the issues related to authentication. There is of course a trade off as MFA can be complicated and expensive to deploy, and users are often resistant to anything that complicates the logon process.
https://www.owasp.org/index.php/Credential_stuffing
https://www.owasp.org/index.php/Credential_Stuffing_Prevention_Cheat_Sheet
https://breachinsider.com/blog/2017/credential-stuffing-how-breached-credentials-are-put-to-bad-use/
No comments:
Post a Comment