Discuss how to prevent system credential collision

System credential stuffing is the behavior of illegal users logging into the target platform through account passwords leaked from other platforms.

For example, there was the famous CSDN account password leakage incident. Many people involved in illegal activities take these accounts and then write programs on other platforms to simulate login. This actually has a certain probability of success. Because most of our users are accustomed to setting the same password for all platform accounts. This gives underworld users an opportunity to take advantage of.

Secondly, there is another type of credential stuffing that is not hard-coded through leaked account passwords.

Many of our users will set their passwords to 123456, 000000, 666666 and other passwords. When an illegal user comes to commit credential fraud, they only need to try to log in one by one with possible password combinations for each account. There will always be accounts that will be hacked.

Based on the above credential stuffing, how should we solve it?

Black and illegal users simply obtain more users’ private information through credential stuffing, or cause economic losses to users through platform vulnerabilities. So, after we know this "little idea" of black users, the only thing left is to find the corresponding method to block these two channels.

When changing the password, we verify the user's mobile phone verification code. After all, many platforms now mandate binding mobile phone numbers. First, it is required by law. Secondly, using a mobile phone number as an account does not require the function of binding a mobile phone number. And it is easy to record your mobile phone number.

By doing this, illegal users cannot change their passwords.

With the first step to rely on. We can verify the mobile phone number verification code at the appropriate time according to the importance of the business before operation. In this way, what if the illegal user knows the password?

When we log in, the user's IP address is recorded. Then, the address location code is obtained based on the user's IP. The next time you log in, if the address location code changes. This indicates that a remote login occurred. At this time, we send reminders through the user's various contact methods to allow the user to change their login password.

For example, if an account fails to log in 5 times a day, it will be locked. In this way, even this illegal user has tens of millions of possible password combinations. Still cannot be effectively cracked.

For example, the user's bank card number. Like WeChat and Alipay. It will * asterisk the user's card number information. Like China Merchants Bank, Bank of China, etc. If you want to view the complete card number and password, enter the SMS verification code.

After going through the above steps. We still cannot guarantee credential stuffing. We can only ensure that the losses caused by credential stuffing are minimized.

For example, one IP and each account are tried 5 times. Then, you can still try out all the accounts. That's unacceptable. Therefore, we can consider writing operation records at special locations into the log.

The recorded information is as follows:

Then, we write a script to analyze the script regularly. The ban conditions were met. Just write this IP into Redis. And set a ban time.

If you don’t want to write these messy conditions yourself. A mature WAF system can be used. In this way, configuring it directly in the WAF system can intelligently identify many attack problems. We won’t go into details about WAF here. At present, I have only come into contact with Alibaba Cloud's WAF. I think it's pretty good. It’s just a bit expensive~~~