Credential stuffing doesn’t often make the news, but it’s a $10 billion a year problem, according to Shuman Ghosemajumder, CTO at Shape Security in Mountain View, Calif. The term describes the practice by cybercriminals of taking usernames and passwords they’ve collected from one breach and using them to gain access to other accounts.
Breaches like these create “a sort of ecological disaster for the internet,” Ghosemajumder said at the recent EmTech conference in Cambridge, Mass. “[That’s] because the usernames and passwords are valid not just to the site that was breached, but across the entire internet because of the fact that everyone randomly reuses the same passwords.”
In an effort to combat credential stuffing attacks, Shape Security announced the release of Blackfish, a new artificial intelligence system that identifies freshly stolen usernames and passwords — those that have not yet been disclosed or surfaced on the dark web.
“Cybercriminals often don’t make [usernames and passwords] available until they’ve extracted all of the value that they want themselves,” said Ghosemajumder, who led product management for click-fraud protection at Google for more than five years. “So there’s this window of time where users are still vulnerable.”
Shape Security already had a machine learning platform to detect credential stuffing attacks by identifying patterns of behavior that look human but are really performed by automated systems. One example is efficiently moving the mouse in a straight line from the username field to the password field to the submit button — something humans cannot do, according to Ghosemajumder.
Blackfish takes it one step further by identifying the compromised usernames and passwords and storing the information in a common knowledgebase. Any subsequent logins using the stolen credentials will be checked against the knowledgebase and invalidated.
“What this creates is a data-driven defense network, which is constantly learning, constantly improving and capable of autonomously defending itself,” Ghosemajumder said.
Shape Security doesn’t store the actual usernames and passwords. Instead, it uses a Bloom filter or a probabilistic data structure of the information, which enables verification but makes the information useless to hackers. “It’s kind of like how Touch ID on the iPhone doesn’t store a picture of your fingerprint,” Ghosemajumder said. “But, instead, looks at different features that are associated with your fingerprint and then stores a mathematical representation of that.”