SlideShare a Scribd company logo

API Security Webinar - Credential Stuffing

DevOps Indonesia, profile picture
DevOps Indonesia

Credential stuffing exploits the common practice of password reuse across multiple services by replaying breached username/password pairs to access accounts. The process involves four steps: obtaining credentials, automating login attempts, defeating security defenses, and distributing attacks globally. Despite two-factor authentication (2FA) being in place, credential stuffing can still lead to successful account takeovers through methods like social engineering and phishing.

Technology
1 of 18
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| ©2021 F5 NETWORKS 1 June 2021 Alexander Marcel Credential Stuffing
“Credential Stuffing is super effective because it takes advantage of human behavior where majority is using same password for multiple services” CREDENTIAL STUFFING cre.den.tial stuff.ing The replay of a breached username/password pairs across sites to find accounts where passwords have been reused.
| ©2021 F5 NETWORKS 3 Confidential / / Part of F5 Get Credentials Automate Login Distribute Globally Defeat Automation Defenses (if any) 1 2 3 CREDENTIAL STUFFING 4 cre.den.tial stuff.ing The replay of a breached username/password pairs across sites to find accounts where passwords have been reused. STEPS OF CREDENTIAL STUFFING
CREDENTIAL STUFFING Step 1 Get Credentials
CREDENTIAL STUFFING Step 2 Automate Login No user interaction No device or browser spoofing Poor device/browser spoofing Excellent device/browser spoofing
CREDENTIAL STUFFING Step 2 Automate Login * No programming skills required. Create script in visual constructor.
CREDENTIAL STUFFING Step 2 Automate Login
| ©2021 F5 NETWORKS 8 Confidential / / Part of F5 CREDENTIAL STUFFING Step 3 Defeat Defenses (if any)
CREDENTIAL STUFFING Step 3 Defeat Defenses (if any)
CREDENTIAL STUFFING Step 3 Defeat Defenses (if any)
CREDENTIAL STUFFING Step 3 Defeat Defenses (if any)
CREDENTIAL STUFFING Step 3 Defeat Defenses (if any) What about 2FA ? 2FA does not stop Credential Stuffing 2FA stops automated account takeovers. The point of credential stuffing is to find valid accounts. Credential stuffing, even with 2FA, still results in valid accounts.
CREDENTIAL STUFFING Step 3 Defeat Defenses (if any) How can attacker bypass 2FA ? 1. Social Engineering 2. Phising (RTPP) 3. Sim Swapping 4. etc.. 472618
CREDENTIAL STUFFING Step 4 Distribute Globally
| ©2021 F5 NETWORKS 15 Attack Kill Chain Stolen credentials Botnets,cloud hosting,proxies Loginbehavior simulationtools CAPTCHAsolving tools starting: $0 $2 per 1000 IPs $50 per site config $1.39 per 1000 Because resources are cheap and widely available, it can cost just $200 to takeover 1000 accounts via credential stuffing.
CREDENTIAL STUFFING Call To Action for All Users 1. haveibeenpwned.com 2. Make your passwords unique 3. Use password manager 4. Enable 2FA 5. Review your social media privacy setting and so on.. please check securitycheckli.st
CREDENTIAL STUFFING Call To Action for IT Security & Anti Fraud Team alexander.marcel@f5.com
| ©2021 F5 NETWORKS 18 Thank You & Stay Healthy

More Related Content

PDF
State of Web Security RailsConf 2016
IMMUNIO
 
PPTX
The Quiet Rise of Account Takeover
IMMUNIO
 
PPTX
Two Step Authentication - Chris La Nauze WordPress meetup presentation
Chris La Nauze
 
PPT
Phishing with Super Bait
Jeremiah Grossman
 
PDF
Esoteric xss payloads
Riyaz Walikar
 
PPTX
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
PPT
Joe CFO for CiscoLive Berlin 2016 Email and Web Security Presentation
Bruce Johnson
 
PDF
Penetration Testing Analysis of The Shop (Test Environment)
Gavin Wiener
 
State of Web Security RailsConf 2016
IMMUNIO
 
The Quiet Rise of Account Takeover
IMMUNIO
 
Two Step Authentication - Chris La Nauze WordPress meetup presentation
Chris La Nauze
 
Phishing with Super Bait
Jeremiah Grossman
 
Esoteric xss payloads
Riyaz Walikar
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
Joe CFO for CiscoLive Berlin 2016 Email and Web Security Presentation
Bruce Johnson
 
Penetration Testing Analysis of The Shop (Test Environment)
Gavin Wiener
 

What's hot (6)

PPT
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
Russ McRee
 
ODP
Csrf not all defenses are created equal
Ari Elias-Bachrach
 
PPTX
Security with ColdFusion
isummation
 
PDF
How to get deeper administration insights into your tenant
Robert Crane
 
PDF
MID_Security_Connected_Jan_van_Vliet_EN
Vladyslav Radetsky
 
PDF
Atelier Technique - F5 - #ACSS2019
African Cyber Security Summit
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
Russ McRee
 
Csrf not all defenses are created equal
Ari Elias-Bachrach
 
Security with ColdFusion
isummation
 
How to get deeper administration insights into your tenant
Robert Crane
 
MID_Security_Connected_Jan_van_Vliet_EN
Vladyslav Radetsky
 
Atelier Technique - F5 - #ACSS2019
African Cyber Security Summit
 
Ad

Similar to API Security Webinar - Credential Stuffing (6)

PDF
How Credential Stuffing is Evolving - PasswordsCon 2019
Jarrod Overson
 
PDF
The State of Credential Stuffing and the Future of Account Takeovers.
Jarrod Overson
 
PDF
AppSecCali - How Credential Stuffing is Evolving
Jarrod Overson
 
PDF
Csrf
samtpru
 
PDF
How LoginRadius Helps Media Companies Prevent Credential Cracking
Kevin Mathew
 
PPTX
HackCon - SPF
Adam Compton
 
How Credential Stuffing is Evolving - PasswordsCon 2019
Jarrod Overson
 
The State of Credential Stuffing and the Future of Account Takeovers.
Jarrod Overson
 
AppSecCali - How Credential Stuffing is Evolving
Jarrod Overson
 
Csrf
samtpru
 
How LoginRadius Helps Media Companies Prevent Credential Cracking
Kevin Mathew
 
HackCon - SPF
Adam Compton
 
Ad

More from DevOps Indonesia (20)

PDF
DevSecOps Implementation Journey
DevOps Indonesia
 
PDF
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia
 
PDF
Securing an NGINX deployment for K8s
DevOps Indonesia
 
PDF
DevOps Indonesia Meetup #52 - announcement
DevOps Indonesia
 
PDF
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
DevOps Indonesia
 
PDF
Securing DevOps Lifecycle
DevOps Indonesia
 
PDF
DevOps Meetup 50 : Securing your Application - Announcement
DevOps Indonesia
 
PDF
Secure your Application with Google cloud armor
DevOps Indonesia
 
PDF
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Indonesia
 
PDF
Operate Containers with AWS Copilot
DevOps Indonesia
 
PDF
Continuously Deploy Your CDK Application by Petra novandi barus
DevOps Indonesia
 
PDF
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps Indonesia
 
PDF
Securing Your Database Dynamic DB Credentials
DevOps Indonesia
 
PDF
DevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia
 
PDF
The Death and Rise of Enterprise DevOps
DevOps Indonesia
 
PDF
API Security Webinar - Security Guidelines for Providing and Consuming APIs
DevOps Indonesia
 
PDF
API Security Webinar - Hendra Tanto
DevOps Indonesia
 
PDF
API Security Webinar : Credential Stuffing
DevOps Indonesia
 
PDF
API Security Webinar : Security Guidelines for Providing and Consuming APIs
DevOps Indonesia
 
PDF
Feature Scoring in Green Field Application Development and DevOps
DevOps Indonesia
 
DevSecOps Implementation Journey
DevOps Indonesia
 
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia
 
Securing an NGINX deployment for K8s
DevOps Indonesia
 
DevOps Indonesia Meetup #52 - announcement
DevOps Indonesia
 
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
DevOps Indonesia
 
Securing DevOps Lifecycle
DevOps Indonesia
 
DevOps Meetup 50 : Securing your Application - Announcement
DevOps Indonesia
 
Secure your Application with Google cloud armor
DevOps Indonesia
 
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Indonesia
 
Operate Containers with AWS Copilot
DevOps Indonesia
 
Continuously Deploy Your CDK Application by Petra novandi barus
DevOps Indonesia
 
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps Indonesia
 
Securing Your Database Dynamic DB Credentials
DevOps Indonesia
 
DevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia
 
The Death and Rise of Enterprise DevOps
DevOps Indonesia
 
API Security Webinar - Security Guidelines for Providing and Consuming APIs
DevOps Indonesia
 
API Security Webinar - Hendra Tanto
DevOps Indonesia
 
API Security Webinar : Credential Stuffing
DevOps Indonesia
 
API Security Webinar : Security Guidelines for Providing and Consuming APIs
DevOps Indonesia
 
Feature Scoring in Green Field Application Development and DevOps
DevOps Indonesia
 

Recently uploaded (20)

PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
A Presentation on Artificial Intelligence
memembruh336
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 

API Security Webinar - Credential Stuffing

  • 1. | ©2021 F5 NETWORKS 1 June 2021 Alexander Marcel Credential Stuffing
  • 2. “Credential Stuffing is super effective because it takes advantage of human behavior where majority is using same password for multiple services” CREDENTIAL STUFFING cre.den.tial stuff.ing The replay of a breached username/password pairs across sites to find accounts where passwords have been reused.
  • 3. | ©2021 F5 NETWORKS 3 Confidential / / Part of F5 Get Credentials Automate Login Distribute Globally Defeat Automation Defenses (if any) 1 2 3 CREDENTIAL STUFFING 4 cre.den.tial stuff.ing The replay of a breached username/password pairs across sites to find accounts where passwords have been reused. STEPS OF CREDENTIAL STUFFING
  • 5. CREDENTIAL STUFFING Step 2 Automate Login No user interaction No device or browser spoofing Poor device/browser spoofing Excellent device/browser spoofing
  • 6. CREDENTIAL STUFFING Step 2 Automate Login * No programming skills required. Create script in visual constructor.
  • 8. | ©2021 F5 NETWORKS 8 Confidential / / Part of F5 CREDENTIAL STUFFING Step 3 Defeat Defenses (if any)
  • 12. CREDENTIAL STUFFING Step 3 Defeat Defenses (if any) What about 2FA ? 2FA does not stop Credential Stuffing 2FA stops automated account takeovers. The point of credential stuffing is to find valid accounts. Credential stuffing, even with 2FA, still results in valid accounts.
  • 13. CREDENTIAL STUFFING Step 3 Defeat Defenses (if any) How can attacker bypass 2FA ? 1. Social Engineering 2. Phising (RTPP) 3. Sim Swapping 4. etc.. 472618
  • 15. | ©2021 F5 NETWORKS 15 Attack Kill Chain Stolen credentials Botnets,cloud hosting,proxies Loginbehavior simulationtools CAPTCHAsolving tools starting: $0 $2 per 1000 IPs $50 per site config $1.39 per 1000 Because resources are cheap and widely available, it can cost just $200 to takeover 1000 accounts via credential stuffing.
  • 16. CREDENTIAL STUFFING Call To Action for All Users 1. haveibeenpwned.com 2. Make your passwords unique 3. Use password manager 4. Enable 2FA 5. Review your social media privacy setting and so on.. please check securitycheckli.st
  • 17. CREDENTIAL STUFFING Call To Action for IT Security & Anti Fraud Team alexander.marcel@f5.com
  • 18. | ©2021 F5 NETWORKS 18 Thank You & Stay Healthy