Credential stuffing and SIM swaps

By on 31 Jan 2024

Category: Tech matters

Tags: , ,

Blog home

Alongside concerning recent security news, there has been a media-wide rise of references to ‘credential stuffing’. This is a term that doesn’t convey very much, but as it’s the accepted term inside the infosec community, it’s probably here to stay.

The ‘stuffing’ part refers to using stolen login credentials from one website on another, using the assumption they’re probably reused identity and password details. Nowadays, it’s common to use keystores, either browser embedded or in the operating system (like the OSX Keychain) or in a third-party product like LastPass, 1Password, or Bitwarden (my particular keystore of choice, on OSX and Android), but it’s obviously not common enough.

As this great blog post by Troy Hunt discusses, the stolen credentials list keeps on growing. Especially worrying is that it continues to grow with previously unseen accounts at an alarming rate. In his post, Troy noted that about 35% of the 104GB of data were for previously unseen logins, which he attributes largely to ‘stealer logs’ captured by info stealer malware installed on compromised machines.

The password used to gain control of the account at the RIPE NCC was almost certainly a very old, unchanged, and guessable (with modern computing power) password. But even if it had been a complex, strong password it would have been equally vulnerable to info stealer malware. This reiterates the importance of enabling two-factor authentication, where the user demonstrates control of something that is in their possession, either via a device such as a phone or a token generation system such as Time-based One-time Password (TOTP) as well as knowledge of a password. The problem is, if this second factor is a phone, it is also at risk of being taken over by bad actors.

SIM swaps, where a bad actor can convince your telco to move your phone number without your active consent is another topical attack on the integrity of logins and is said to have been involved in the recent US Securities and Exchange Commission’s X account compromise, which led to a false tweet about crypto coins being sent out. 

Many of us like to think ‘This couldn’t happen to me’ but the defensive barriers to SIM swapping are unfortunately not under user control as much as password and login details are. The attack is not directly on the SIM owner, the attack is on the integrity of the telco-to-telco processes requesting and authorizing a SIM swap.

In many economies, this is not a high barrier to breach. There’s no other strong second factor available to validate the request, and no strong (agreed) mechanism applicable in all cases. This means a frighteningly large number of people are at risk of sudden loss of their phone identity. Since this is, in many cases, the second-factor proof of possession to login to services like X, losing control of a SIM is equivalent to losing control of the account.

With the rise of Single Sign-On (SSO) under the OAuth mechanism (systems like Keycloak, OKTA, and use of Google and Apple passcode identities) it becomes increasingly important that fundamental identity and proof of possession are maintained.

With reports of credential stuffing, info stealer malware, and SIM swaps on the rise, here are some timely reminders from APNIC’s Information Security Specialist, Jason Reid to help protect yourself:

  • Don’t depend on a single login password to control access to the fundamental identities you use for banking, work, or other identity-aware services. Use a second factor and have backup keys in case of loss of the second factor.
  • Use non-SMS methods for the second authentication factor wherever you can. Authentication codes delivered via SMS are better than nothing, but they are highly vulnerable to SIM swapping. As soon as your phone number has been ported to the attacker’s device, they will receive your SMS codes. Instead, use an authenticator app that generates TOTPs or better still, a hardware security key such as a UbiKey.
  • Create strong, unique passwords for all your accounts and use a password manager to keep track of them. Credential stuffing relies on password reuse and the lack of a second authentication factor for its success.  
  • Make sure you have a plan for the loss of your phone, your SIM, and any hardware key you depend on as a second factor.
  • If you receive an unexpected request by SMS, messaging app, email or phone to confirm your identity, check very carefully before sending a code or TOTP value. Call back on a number you have independently verified, for example, from the company website.
  • Regularly update your operating system and all software applications to patch security vulnerabilities. Enable automatic updates.
  • Watch out for phishing attacks — avoid opening email attachments or clicking on links from unknown or suspicious sources.
  • Download software and files only from reputable sources and avoid cracked or pirated software, as it is likely to contain malware.
  • Install reputable antivirus and anti-malware software and ensure it has the latest virus definitions.
  • Use a VPN, especially when connecting to public Wi-Fi, to encrypt your Internet connection and protect your data from potential eavesdropping.

When considering this advice it’s important to remember that in an era of increased digital footprint and therefore risk, the threat is real, and it could indeed happen to you. The time to take these necessary steps is now.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

Top