The State of Credential Stuffing and the Future of Account Takeovers

Explore the current landscape of credential stuffing attacks and the evolving nature of account takeovers in this comprehensive conference talk. Delve into the economics of these attacks, including costs, distribution methods, and return on investment. Learn about combo lists, various defense mechanisms like IP rate limiting and CAPTCHAs, and the challenges posed by dynamic sites. Examine techniques used to identify bots, including browser fingerprinting and non-human behavior detection. Discover how attackers bypass multifactor authentication and explore advanced fraud techniques such as resident scripts and browser extensions. Gain insights into emerging threats beyond credential stuffing, including Genesis marketplaces and advanced malware. Understand the importance of risk scoring and collaborative efforts in combating fraud.

Introduction
How Much Does It Cost
Distribute Globally
Cost
Rate Of Return
How To Start
What Are Combo Lists
IP Rate Limiting
CAPTCHAs
Dynamic Sites
Host Header Order
Consumer Browsers
Browser fingerprinting
Fraudfox
Identifying Bots
NonHuman Behavior
Browser Automation Studio
Browser Consistency Check
Browser Fingerprints
Emulation
Multifactor authentication does not stop credential stuffing
How to bypass multifactor authentication
Logging into your bank
Resident script
Browser extensions
Exploit a developer machine
What is beyond credential stuffing
We are raising the cost
Genesis
One Unit
Known Resources
Fingerprints
Risk Scores
Dont Screw Your Buddies
Advanced Malware
Fraud Problems