Credential stuffing: What banks need to know

  • Posted by: Will Raymer, VP of Product

Business woman hand typing on keyboard with secured lock concept around

Billions of usernames and passwords are available on the black market, and this number is only growing. In August, a new data breach was publicly reported every 4 hours. This has led to a rapid increase in the latest approach used by fraudsters to steal money from online banking accounts – credential stuffing.

Understanding Credential Stuffing

Cybersecurity firm F5 reported earlier this year that credential stuffing and brute force account takeover attacks now make up more than 40% of all security incidents. Credential stuffing attacks start when credentials are exposed as part of a data breach. An attacker purchases or steals a massive file that contains millions of logins and passwords. The credentials can be from anywhere, because customers often reuse usernames and passwords across multiple sites.

Attackers use bots that simultaneously attempt many logins to the online or mobile banking service from different IP addresses. This attack can circumvent simple security measures like banning IP addresses or browser clients with too many failed logins.

The larger the institution, the higher the risk, because credential stuffing is all about probability: the more accounts at an institution, the more likely some breached credentials are valid. These attacks are easy and cheap to run, making them one of the most common banks see today. As more protected information is exposed by data breaches, credential stuffing attacks become more frequent and successful.

Identifying Attacks

As these attacks happen more often, there are a few things banks can do to help identify credential stuffing fraud. The first and most common way to mitigate these attacks is to use technology like ReCaptcha to identify bots that are attempting logins.

Banks can also use AI and machine learning to identify patterns in customers’ behavior when they log in. Using these patterns, it is easier to identify behavior that is abnormal and potentially fraudulent. Once a potential risk is identified, extra layers of security can be deployed to help stop fraud before it truly starts.

Machine learning is particularly useful because it safeguards customers without sacrificing their experience. The best tools run in the background and only ask for extra authentication when they detect something suspicious. Solutions like this are easy to implement, so they can have a huge impact with low effort from the bank and customer.

How to Respond

Even when you know an attack is occurring, your customer is often the first to know their particular account has been targeted. This means one key to stopping fraud is empowering customers to protect themselves.

I recently had an online account attacked by credential stuffing. I got an email alert that someone had logged into my account from Vietnam — but there was nothing I could do about it. I found myself in a race with the fraudster to change my password, but they were already minutes ahead of me.

It’s important to allow users to disable their account as soon as they get a suspicious login alert. This pauses the race against the fraudster, stops any further losses, and lets your customer call you to sort things out. Crucially, you empower customers who find out about fraud before you.

Another way to help customers defend themselves is to offer services that check passwords against the same lists of breached credentials that hackers use. Studies on password reuse usually conclude two things: almost everyone knows not to reuse passwords, and almost everyone does it anyway. If you tell customers their specific password choice is risky, they are much more likely to choose credentials that are secure.

As a bank, communicating more openly about data security and breaches also keeps customers safe. Telling customers about breached credentials is sensitive. Many customers may be upset and blame the bank, even though the bank was completely unconnected to the breach. The best tools give you a spectrum of options here: from simply informing customers that they are reusing passwords, to adding extra layers of authentication or requiring they pick a safer password. Being open and honest that customers may be at risk is difficult, but when done right, your openness can ultimately keep customer accounts – and the bank itself – safe.

Fraudsters are getting more savvy, but banks are too. Banks do not need to be perfect to prevent most fraud. Instead of trying to block every single shot, they just need to present a smaller target.

Banks have access to solutions that can stand up to today’s digital attacks by eliminating many of the easy opportunities fraudsters have to access accounts or the institution itself. And when customers are equipped and empowered to protect themselves, both banks and customers win.




Published at BAI Banking Strategies


Will Raymer, VP of Product
Author: Will Raymer, VP of Product
Drawing on a multidisciplinary career leading creative teams, Will has guided multiple digital banking products from spec to success at Access Softek. In addition to product management, his many roles in eight years at the company have included implementation, writing, and second tenor. He loves to think about scaled agile methodologies, healthy management practices, and humanistic software design.