Thieves have a Fast Track to your Assets with Credential Stuffing

​Why would a thief bother stealing your identity when they can steal your money directly? Answer: they wouldn’t. More and more criminals are taking a more direct route to people’s assets through a tactic called “credential stuffing.” The massive data breaches of recent years have made vast amounts of personal data available on the dark web, and bad guys are using it to take over financial and other accounts. So, let’s talk about how credential stuffing works and what you can do to defend yourself.

​In a nutshell, credential stuffing uses automation to “stuff” vast numbers of stolen usernames and passwords into the login pages of multiple online accounts. Think of it like a slot machine where players just keep stuffing in tokens until they hit the jackpot. Stolen information from data breaches is posted for sale, or even free, on the dark web. Criminals then buy the information and credential stuffing software (which retails on the dark web for as little as $50) to try millions of passwords on different accounts at financial services companies, retail businesses, and other organizations. Only a small percentage of the attempts succeed, but once they’re in, thieves can drain accounts completely or use credit accounts for large purchases.

​So, why does credential stuffing work? Because remembering multiple passwords can be stressful, many people use the same password and sometimes user ID for multiple accounts. For example, if your credit card issuer has a data breach and you use the same password on your bank or another account, a credential stuffer can just keep trying that password on different sites until they get lucky. And because they’re breaking into an existing account with an existing password, they won’t trigger security alarms.

Fortunately, there are several things you can do to protect yourself against credential stuffing:

• Never use the same password on multiple accounts. Consider a password manager to help you generate and manage unique passwords for all your accounts.
• Change passwords often. That way, a stolen password is likely to be out of date by the time a criminal gets it from the dark web.
• Whenever possible, set up your financial accounts with two-factor authentication so a credential stuffer can’t get in with your password alone.
• Set up alerts so you get immediate notification and can take action if there is unauthorized activity.
• Use a dark web monitoring service such as CyberScan^TM to see what information might already be compromised and to get alerts when more of your personal information appears on the dark web. While CyberScan is already included with a MyIDCare membership, it is also available for everyone to try for free at https://try.myidcare.com/cyberscan/. Once you know what information is compromised, you’ll have a better understanding of how to protect yourself like what credentials to change immediately and what accounts to watch.

​With massive amounts of stolen data on the dark web and with the easy availability of credential stuffing software, this kind of crime is becoming more frequent. A recent article in SpyCloud reported that, already, up to 43 percent of logins submitted through most sites are account takeover attempts. And once your assets are gone, recovering them is no small feat. So, protect yourself in all the ways outlined above, and, in case the worst happens, make sure you have an identity protection plan such as MyIDCare, from ID Experts, that guarantees 100% recovery from ID theft or fraud.