Defence Against The Dark Arts Credential Stuffing Attacks

Defence Against The Dark Arts Credential Stuffing Attacks

Defence Against The Dark Arts

Credential Stuffing attacks are where an existing list of usernames / email addresses and cracked passwords are replayed against your site by an attacker to perform Account Take Overs (ATOs).


The list of usernames / email addresses and their passwords are available on the dark web, and often originate from previous Database breaches like linked-in where the old ciphers used to encrypt passwords were weak and so have been cracked resulting in full login details for list of millions of users being available for replay.


Because so many users reuse passwords – replaying this list against your site will result in some valid logins for the attackers – and the they exfiltrate any personally identifiable information (PII) from the users account to then potentially sell.


PII are adollar or two depending on completeness – but if they can harvest 1000s or millions of PII entries by accessing that many accounts on your site – it’s lucrative business.


Various tools such as exist for performing these types of attack – and if the infiltration is ‘low and slow’ it’s very hard to detect a few failed logins per second amongst all the noise


Prevention / Preparation


Keep max login retry limits low (though in credential stuffing they have a username/password combo already this is minimal protection).

Make sure you rate limit based on sessionIds add a Captcha and reverse-Captcha by default on login, you should ‘feature toggle’ Captchas so it doesn’t have to be on all the time annoying your users.

If you want to get sophisticated you can make this risk based – so the Captcha only springs up when some aspect of the user is suspicious.(Google’s ‘recaptcha’ is pretty clever and non intrusive these days and does risk profiling too).

You still need a reverse capcha too though as this can be left on all the time as it’s invisible to users – there may be circumstances where product folk want to lift the ordinary user Captcha
ensure you’re returning 401 and 403 HTTP codes appropriately in your login validation code (this will facilitate efficient firewall rules).

if attacked you could set some irules for repeat 401/3 from a single IP be a ban on the Ip for 10 minutes for example, this not so easy if you just 302 to /failedlogin.html as you’ll have lots of other ligitimate 302s

Make sure you consider you APIs too – an API gateway of some sort should offer throttling mechanisms

Consider something like Cloudflare, Ravelin or their competitors – they do lots of profiling and filtering of supicious IPs and tools, or ATO plugins and may solve your problem invisibly upstream

Make sure you’ve built the capabilities for Password Reset and Account Suspension for corralling any compromised accounts.

Implement user device profiling, where each new device a user logs in from is recorded and exceptions flagged to users for validation – numerous libraries exist for this
Ensure you close the loop in verifying users email addresses and if possible phone numbers too.

Implment 2FA (2 factor authentication) or MFA ( Multi Factor Authentication) – the gold standard of login verification where users have some kind of key generator with them 9Authy / Google Authenticator Yubikey).

Though this may not be applicable for high volume sites with non technical users, offering it gives you options for expert users.

Do a red team simulation for credential stuffing to see if it gets spotted by your team.

During registration, consider a spot check on new credentials to or similar — and potentially warn them about strong unique passwords if their username/email is known (careful messaging required!)

See also OWASP’s guide on this at




You need separate monitors / alerts on:

failed logins

A spike on failed logins is a clue for brute force and credential stuffing
logins for non existent users,
A spike in logins for non existent users is a clue for credential stuffing – these are the mismatched emails / usernames you don’t have on your system being stuffed in
have a long look at both failed login monitoring alert sensitivities, assume the worst on any prolonged tickle.

successful logins

A spike in successful logins only could be a clue someone’s stolen your user credentials from your DB (though why they’d then swarm your login page is a mystery)

Accounts locked due to repeated failures
again indicative clue to brute forcing

Any other key metrics you capture around login or account traversal (changing card details, changing user email addresses) should also be emitted and measured for unusual activity
these are post breach, so not ideal – but still very worthwhile in case you miss something subtle initially

The detection thresholds on these login attempts alerts should ideally be sophisticated and use correlations, anomaly detection and machine learning – it’s the only way to really spot the low and slow subtle attacks


When under Attack


Turn on Captcha

Look for patterns in the attack, are there clues to specific hack tool – perhaps repeating user agent strings, odd protocols like TLS1 or timings that you may be able to profile.

you can set some irules for repeated 401/3s from a single IP to ban on the IP for 10 minutes for example.

Dump suspicious IPs from threat intelligence reports or with high volumes altogether

Or rules to filter on unusual user agents / matching TLS profiles (though this may collateral damage or shedding some real users)

Block IPs outside your customer geography location if possible, any other way of shedding suspicious traffic?

Check threat intelligence sources looking up the dodgy IPs you see for more info

Slow down logins, irritating for users, but throttles the attack

Are accounts being compromised, if so is there a pattern – can you get ahead if so?

Try to catch the traffic as lose to the perimeter of your network

Check this isn’t just a feint for something worse. Check your other alerts for signs of intrusion to backend systems while they’ve kept you busy chasing this login tidal wave.

Call the Police
Call the FBI / GCHQ / Cyber authority in your geography

They can perhaps perform ‘Upstream Disruption’:
Shutting down sites the tools being used are deployed on
Identifying and Arresting individuals performing the attacks
Throttling traffic at ISPs or even further upstream



Have an incident plan ready – it’s a fair bit of planning but pays off in a crisis.

Comms is key:
Internal folk (tell them don’t say too much)
Different customer classes (tailor)
Regulatory bodies in your industry

Your Suppliers
be careful of any precedent for refunds / goodwill
Consider getting hack insurance in advance
Police – report as a crime
Gchq / FBI
involve your legal team and have them run their eye over comms.

How To Be A Successful Interim CTO

How To Be A Successful Interim CTO

I get the impression that a lot of people are actively looking at interim CTO assignments now who might not have considered them in the past.


So what is the same/different about being an interim CTO consultant or full time employee, and how can you maximise your chances of success if you make the leap?


In my experience very few people get treated any differently day-to-day in interim CTO roles than “permanent” employees..the fact that you’re an interim CTO won’t be a big issue but the expectations of you as an interim CTO can be higher.


You might be expected to be an expert on more things, and you’ll probably be expected to have a measurable impact – perhaps more quickly than a new full time employee would be.


You could also get more latitude to challenge the orthodoxy, not be expected to navigate the company politics so carefully, and have your change agenda considered more dispassionately.


So how do you make sure you’re successful in your first interim CTO consultant role?



The first (and maybe obvious) point is to choose the right role.


Don’t set yourself up for failure by taking an interim CTO role with a team size, company culture or business model you’re not absolutely confident you can add real value to. Ultimately what you “sell” is your reputation and track record – don’t be tempted to risk it by taking on a role you’re not 100% right for.


Once you have found the right role, and before you start, make sure you are very clear about the brief. 


Make sure you really understand what success will look like in the potential role.


Sometimes a company’s real wants and needs can’t be articulated clearly and you have to use your experience and intuition to read between the lines about why they want to hire you. Make sure you understand whether you will need to be a good cultural fit or being counter-cultural is one of the reasons why they want to hire you.


When you start get the basics right..always arrive on time and dress similarly to the prevailing dress code in the team.


At the early stages of any assignment make sure you don’t write cheques you can’t cash by promising unachievable things. There is no surer way to destroy your credibility (and make enemies of other people) than by promising things that can’t be done. It’s a subtle situation may have been brought in to increase urgency and delivery so any goals you agree need to be ambitious but achievable.

So..what is the most important thing to do when you arrive?


It is to listen..never make the mistake of joining with a “here’s the tell me about the problem” approach.


In your first week try and meet as many people in the team as possible.


It’s important for you to get to know the team, and them to get to know you, so scheduling 30 minute interviews with each team member to ask the sort of questions below will very quickly create a picture of what you’re walking into.


Example Interview Questions

  1. Are you enjoying it here at the moment?

  2. What are our key responsibilities as a team do you think?

  3. As a team, what do we do well do you think?

  4. What do we need to get better at?

  5. Who are our stars?

  6. Does anyone in the team need help to be more successful?

  7. How could we get more customer outcome focussed?

  8. How could we move faster?

  9. Would you recommend working here to a friend?

  10. What three things would you do if you were me?

  11. Anything else we should talk about?


After the interviews an interesting exercise is to allocate any team member mentioned as a “star” in question 5. a +1 and any struggling team member mentioned in 6. a -1. Adding up all the scores will give a quick but surprisingly accurate team talent map.


Question 9. can also be used create a quick team “NPS” score.


At we like to end the first week of a new assignment with a “Week One Playback” with the person that sponsored the appointment. It’s a great opportunity to discuss the SWOT (Strengths, Weaknesses, Opportunities, Threats) found so far and calibrate it against what the sponsor wants.

Remember to add value to your client in any way you can as well. It’s not just about the goals. Doing things like sharing their job postings on LinkedIn, mentioning them in any interviews you do, retweeting their tweets, liking their Facebook page, and so on, all help.


Don’t “penny pinch” the client either. What “goes around comes around” so if taking a phone call or sending a quick email in non-client chargeable time helps solve a problem or keep momentum up then do it. You’ll be judged on your impact at the end of the day.


The last thing to remember is…to know when to move on.


You know when you’ve achieved your goals or hit the diminishing returns point on the value curve.

Don’t wait to be replaced. Proactively suggest a new way to add value to the client if one is appropriate, or move on to your next challenge with another successful engagement under your belt.


So there you have it. To be a successful interim CTO consultant you need to chose the right role, deliver as much value as you can, and then move on as soon as you’ve done it.


We summarise it at with our motto of “Be Of Value”. If you do that at all times you will be successful.


Being an interim CTO consultant won’t be for everyone but if you get your sense of accomplishment from delivering business impact and enjoy variety and challenge then maybe it’s for you?


Interested? Give us a shout on or 0800 246 5735 for an informal chat…

Darth Vader’s guide to Accelerated Mobile Pages (AMP)

Darth Vader’s guide to Accelerated Mobile Pages (AMP)

Since its launch Google has been heavily pushing AMP (Accelerated Mobile Pages) but two years down the line how have things worked out?


Is it really worth creating AMP pages/sites and does AMP deliver the benefits Google said it would?

When it launched AMP in February 2016 Google said that web pages were too slow and clunky on mobile devices and we needed a new approach tailored specifically for the mobile web.


It talked about “websites and ads that are consistently fast, beautiful and high-performing across devices and distribution platforms…” and promised SEO (Search Engine Optimisation) and customer experience benefits with AMP.


What is there not to like about that?


Umm…well firstly it means the not insignificant amount of work of re-writing your page/site using a new stripped down and restricted HTML/CSS/JavaScript mark up format. It really is different as well, you can’t even use your existing Google Analytics JavaScript tag.


If you accidentally write “normal” JavaScript in your AMP page Google creates a “critical issue” in the Google Search Console and implies it will stop serving your AMP page to users. Frankly we were so scared we couldn’t breathe until we had fixed it. AMP faster? Well not necessarily.


With two very similar looking pages and the second AMP compliant page loads in 2 seconds compared to the normal version which loads in 1 second on 3G according to Google’s own testing tool (


Drat that’s not good news.


What about the SEO benefits? Well yes a bit. A quick test has shown that whilst browsing incognito on the web and phone the AMP page is currently ranking one position higher than the web page for the same keyword.


There is another benefit with AMP in that Google will serve it from it’s Content Delivery Network (CDN) free of charge. Thanks Google, that should help keep download times low around the world.


If you don’t want your AMP page being seen as a referrer by Google you’ll need to add to the Referral Exclusion List in Google Analytics, though.


So is it all worth it then?


You’ll have to make your own mind up.


Google are right in that given most web sites now have more than 50% of users accessing the site via their phone it really is time we built experiences tailored for their device profiles and bandwidth situations and at least AMP is open source rather than proprietary.


AMP is still pretty young compared with HTML over the web (which has been around since 1991-1992) and my hunch is that it has some way to go but it is around to stay.



Rorie is CEO and Founder of which puts high impact temporary team members into organisations that need something done quickly, done well or delivered against the odds.



SAAS – The Four Letter Word Which Can Turbo-Charge Your Start-up

SAAS – The Four Letter Word Which Can Turbo-Charge Your Start-up

SAAS – the four letter word which can turbo-charge your start-up


Many start-ups commence trading using spreadsheets to manage their core finances. It is often the best way in the beginning, but in my experience, there is a tipping point after which no amount of spreadsheet wizardry will compensate for having a good financial management system.


When I joined I was confronted with exactly this. I started at a time when there were just a few transactions per month and so the spreadsheet which had been used to kick-start this rapidly growing company, adequately met the needs of the time. And being a Google sheet, it was “cloud-based” so it provided some of the basic benefits of a SAAS product. I constructed a “better” Google spreadsheet to get additional clarity and this allowed me to improve operations. However, as the business grew rapidly, this had a foreseeable life-cycle of but a few months.


The breaking point hit us not long after. The system which had previously worked perfectly well for hundreds of simple linear transactions, finally reached its limit with one specific requirement. It was the most demanding customer project to date, with a larger team, multiple currencies, increased billing frequency and differing international taxation settings. Accurate manual reconciliation was time consuming and becoming near impossible, resulting in delays and anomalies. In the fullness of time this would have resulted in some financial loss, irritated suppliers and unhappy customers.


I knew we had to upshift to something better, and fast – we had reached the limits of this approach.

Before one invests in software to address a specific problem, it is important to assess what benefits one is looking for. I found that apart from standardising all core financial operations, the hidden jewel in the crown was to get enhanced reporting capabilities. Having access to real-time reporting, with detailed on-demand drill-down analytical capabilities, can turbo-charge an enterprise when used effectively.


Sure, it is possible to do some of this without specialised financial software, and I acknowledge that many are perfectly happy with that approach. However, when it comes to gaining real business insight and making informed decisions, without the right tools it feels like groping in the dark, or at best, doing a lot of manual computation (which can be less accurate).


In our case, it is vital for us to analyse profitability regularly, not just across the enterprise, but also per individual, per partner, per team and per project, over different time periods and from different perspectives. This was near impossible with a spreadsheet (or at best, very time consuming and error prone), but once we had the right tools, we were suddenly empowered to make well-informed decisions based on accurate data, which in turn allowed us to confidently optimise the business model to maximise profitability.


So how did the implementation go? Having enjoyed a long career in the ERP industry, I knew we needed a simple cloud-based product which would suit a fast-moving start-up. One which was cost-effective and quick to implement, but also had the capability of scaling as the business grew. I was happy to quickly discover a multitude of excellent and cost effective SAAS offerings which fitted the bill. While there are many on the market, I limited my evaluation to the following products: FreeAgent, Freshbooks, SageOne, Quickbooks, Xero and Zoho.


Broadly speaking, they all do the same thing and I am sure one can get equally satisfying results with any of these products, but all things considered, we decided to try It seemed to tick all the boxes and matched our company’s ethos: “urgency, clarity, delivery”.


The project was a resounding success – within just a few days (and albeit a few late nights!) we were able to migrate and reconcile all the historical bank data, setup invoicing, and most importantly, structure the organisational model, chart of accounts and tracking codes to deliver precise reporting and drill-down analytical capabilities. Once these aspects are setup correctly, the product takes care of all the intricate computations and provides enhanced financial visibility with just a few clicks. As your accountant can also use the same tools to perform routine filings, you may find you can reduce your annual accounting costs too, as it is a lot less effort for all involved.


After several months of successful operation, a financial year end and numerous insight-driven strategy shifts to improve profitability (which would have been impossible with even the “better spreadsheet”), I can safely say that we are delighted. Moving to a professional SAAS product solved all the issues previously faced and delivers 99% of what is needed.

The missing 1% is minor and not worth worrying about. For example, billing multiple currencies on a single invoice would have been handy, but given this is a simple SAAS solution and not a complex built-to-order ERP implementation, none of these minor gaps are show stoppers. I find that as the product evolves, some of these gaps are addressed. Or, one may decide to use a bolt-on product from the add-on eco-system if you need more intricate functionality – there are some pretty impressive tools out there, covering everything from CRM to Workflow.


Apart from the obvious tactical benefits, we have experienced an improvement in liquidity as we can invoice far more efficiently now and have fewer late payments. Most of the time, the system’s automated reminders are sufficient to initiate settlement of overdue customer invoices, so there is little need to intervene or escalate.


So, to summarise, the great parts of using SAAS packages like this are:

  • Fast implementation

  • Cost effectiveness

  • User friendly and simple interface

  • Cloud and mobile readiness

  • Good standard reporting tools

  • Better business insight


Ratna Chengappa, interim CFO,


So, all in all, we are happy to have streamlined and standardised our financial operations. I would recommend any start-up or SME to upshift to SAAS solutions, sooner rather than later.

If you are grappling with similar business or technology issues on any scale, get in touch on or +44 (0) 800 246 5735

Client testimonial..Key Travel

Client testimonial..Key Travel

“We needed architectural level support on options for integration with one of the major ERP players. not only got us the right guy to speak to, they recognised that speed and cost were essential and offered their remote working solution. A win all round as we got the expertise we needed, in short consumable chunks which helped us define the right solution and it didn’t break the bank!” – Saranjit Soor Chief Technology Officer Key Travel.

Sound good to you? Give us a shout here.