FB pixel

Digital ID attack mitigation sometimes just makes room for better criminals

Categories Access Control  |  Biometrics News
Digital ID attack mitigation sometimes just makes room for better criminals
 

A cybersecurity company says that successful mitigation of credential-stuffing attacks is not having precisely the effect identity providers might have expected.

A new F5 report illustrates how a baseline graph of malicious automation traffic – credential stuffing — gets squeezed to a fraction of its size after mitigation steps are completed. Yet the choked traffic is comprised of more dangerous, more sophisticated attack traffic.

A small but noticeable drop in traffic for authentication and account management end points occurs upon mitigation. But that is because criminals looking for the easiest marks find new targets and those able to wield intermediary and advanced tools mostly fill the void.

(F5 analyzes threats and markets tools and services to mitigate them.)

Among the advanced tools for performing credential stuffing attacks is software that mimics human-generated traffic.

F5 considers intermediate sophistication the ability to emulate some generic actions. Typically, they cannot simulate “full human browsing.”

Advanced capabilities use custom software as well as Selenium, Puppeteer, Browser Automation Studio. At this level, software is mimicking keystrokes, mouse movements and other actions.

The company makes several recommends in the report, including that identity providers not wait for the best anti-bot software. Simple applications can cut down basic stuffing attacks.

They need to deploy multi-factor authentication using public key cryptography like FIDO2 or FIDO2-based passkeys.

Reverse proxy phishing can bypass some MFA approaches, but F5 says those based on public key infrastructure, including most biometrics implementations, are resistant to these sophisticated attacks.

Article Topics

 |   |   |   |   | 

Latest Biometrics News

 

U.S. academic institutions get biometric upgrades with new partnerships

A press release says ROC (formerly Rank One Computing), which provides U.S.-made biometrics and computer vision for military, law enforcement…

 

Smart Bangladesh 2041: Balancing ambition with reality

Bangladesh aims to be a “Smart” nation by 2041 as the country goes through a drastic transformation founded on digital identity…

 

Nigeria’s NIMC introducing one multi-purpose digital ID card, not three

The National Identity Management Commission of Nigeria (NIMC) has clarified that only one new digital ID card with multiple functions…

 

Age assurance tech is ready now, and international standards are on their way

The Global Age Assurance Standards Summit has wrapped up, culminating in a set of assertions, a seven-point call-to-action and four…

 

NIST finds biometric age estimation effective in first benchmark, coming soon

The U.S. National Institute of Standards and Technology presented a preview of its assessment of facial age estimation with selfie…

 

Maryland bill on police use of facial recognition is ‘strongest law in the nation’

Maryland has passed one of the more stringent laws governing the use of facial recognition technology by law enforcement in…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read From This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events