ClickCease

Credential Stuffing: How PRC Almost Hacked my Steam

Lef Ioannidis
July 8, 2021

Recently we’ve witnessed some pretty big password leaks. First, 6.4m unsalted passwords leaked from LinkedIn, then 500m passwords leaked from Yahoo, which today turned to 1 billion accounts. This is truly scary, even if you haven’t been using your Yahoo account. To see why let us go back a couple of months when I almost fell victim to a credential stuffing attack from China.

First of all, “credential stuffing” is a fancy name for password reuse. All it takes is somebody with very intermediate computer security knowledge, looking up the password dumps from Yahoo or LinkedIn (widely available), then trying the same exact credentials on as many different sites as possible until there is a match. In my case, I logged into my Steam account and saw something like this:

screen-shot-2016-09-29-at-1-48-50-pm


Steam, how it looks like when you have been hacked

Unfortunately, Steam does not specify if this is a credential stuffing attempt, but it was only a week after the big LinkedIn leak. I may also have been reusing the same password for my LinkedIn and Steam, so all the pieces fit. Steam was very helpful in telling me the following:

  1. Somebody had tried to access my account from PRC.
  2. He had both my username and password.
  3. His attempt was blocked since I’ve never accessed Steam from PRC.
  4. I needed to change my password to regain access to my account.

At that time, I deeply appreciated all those otherwise annoying security features. Facebook asking me to identify my friends, Google sending me text messages, and now Steam using geolocation to see where my impersonator lives. I quickly updated my password on Steam and 5-6 other websites.

My new password was the same as the old one, with the last letter changed from a ‘d’ to an ‘e,’ meaning this was the 5th time I updated my Steam password for one or another reason. The rest of the password was pretty good in terms of entropy. Caps, lower cases, numbers, and symbols, randomly generated as well as pronounceable, using pwgen, a great CLI tool for generating strong, memorable passwords.

screen-shot-2016-09-29-at-3-30-06-pm


pwgen producing secure, memorable passwords

But this is not great overall. It’s only one step in the right direction for attackers to realize how hard it is to remember a password, which is why users opt to postfix their existing ones with predictable components, such as an increasing identifier. I’ve read posts about people using the same password everywhere and instead prefixing it with the site name. So if your main password is “d34db33f,” then for Amazon, it will be “amazon_d3adb33f”, for Chase, “chase_d3adb33f,” or something along those lines.

I believe I have a good understanding of the security concepts behind passwords, and I think I’m doing better in terms of passwords than 99% of the people out there since my password is not “password” or “123456” (proof). On the other hand, here I found myself coming up with predictable password patterns. Then it came to me, the bigger issue exposed by credential stuffing attacks and password reuse:

Either we all do passwords right, or nobody does.

Either nobody gets hacked, or we may as well all be, as long as users can’t help but use the same passwords and predictable patterns over and over again.

So what does it mean for everyone to do passwords right? If you want to be really safe, you’ve got to be a bit paranoid and lean completely on the side of security versus convenience.

  1. A password should be completely unpredictable (should not include pet names, date of birth, middle names, children names, childhood heroes, favorite books, in fact, no English words at all).
  2. A password should have capital letters, lowercase letters, numbers, symbols and be at least 16 characters long (for 128-bit keys).
  3. A different such password for each website, changed every three months, with no logical correlations between them.

It is indeed impossible to be truly secure using passwords. How about password managers, then? Letting them handle the complexity of passwords. Not a bad idea on first thought. Just tie all passwords to the user’s machine. But then you get this:

4e5cfd3a8e031


The problem with password managers, you’re not your laptop

Password managers basically escalate the problem of cyber security to a problem of physical security of your devices. For example, if I can get my hands on an open laptop, I can access pretty much any website, as long as cookies are enabled or a password manager has been used. And that’s pretty terrible.

In the end, no solution takes care of every aspect of identity security today. It’s either what you know (password), what you have (device), and now we’re finally moving into the age of what you are.

Photo


TechCrunch Disrupt 2016, UnifyID (acquired by Prove) won runner-up in Disrupt Battlefield.

At Prove, we think of the human as the central point of identity management. Think about every bit of information that makes you, You. How large is your stride, do you walk fast or slow, how long are your arms, which floor is your house at, how fast do you drive to work? This is all information that we feed into our machine learning system as input. The output is binary. Either it is you, or it isn’t. Since we only require 1-bit of information at the time of authentication, we can log you in with one click.

In addition, Prove works across devices. Your computer knows about your phone, and they share the same credentials. Remember that time when you left your laptop unattended for 5′, and your Facebook wall got full of questionable posts? Not anymore. We can detect when you stand up and walk away. We can do that for every website, bank, e-shop, and federal website. Take your identity with you when you leave the room.

Here at Prove, we take your security seriously. Passwords are an inconvenience, and they will soon go the way of the floppy drive. However, machine learning and implicit authentication can help you, and we know precisely how.


To learn about Prove’s identity solutions and how to accelerate revenue while mitigating fraud, schedule a demo today.


Keep reading

See all blogs
Be Part of the Future of Fraud and Digital Identity at Prove’s improve 2024 Featuring Fraud Fight Club

Prove is hosting a digital identity summit – improve 2024 – with the help of Fraud Fight Club, in Charlotte, NC, on Thursday, April 25, 2024 - an exclusive gathering of top minds in fraud, risk, and identity.

Kelley Vallone
March 18, 2024
What Steph Curry Can Teach Us About B2B Onboarding

Just as every system needs a catalyst, Curry provides that for the Warriors. Identity verification is the catalyst for your B2B onboarding.

Kelley Vallone
March 13, 2024
Prove’s Tom Hill Provides Critical Identity Verification Considerations for Online Gambling Companies

Prove’s Tom Hill explains why creating an easy-to-use and engaging user experience will be critical for gaming organizations to rapidly onboard new customers.

Kaushal Ls
March 11, 2024