What Banks Need to Know About Credential Stuffing and How to Stop It

As originally published in ABA Banking Journal

What Banks Need to Know

Digital banking has soared during the pandemic. According to research by BAI, 52 percent of people have increased their use of digital banking services. That rate jumps to 70 percent for millennials.

Banks are reporting record high usage of digital deposit and other online services. With the rapid increase in digital activity has come more credential-stuffing attacks. Credential stuffing is the automated use of usernames and passwords, collected by hackers in data breaches, in order to gain fraudulent access to user accounts. In the fall of 2020, both the Securities and Exchange Commission and the Federal Bureau of Investigation issued credential-stuffing warnings to financial services firms.

The FBI reports that credential-stuffing attacks accounted for the greatest volume of security incidents against the financial sector from 2017 through 2019 at 41 percent of total incidents. Other studies showed criminals were more likely to try leaked or stolen username and password combinations on bank sites than any other type of site.

Cyber criminals see banks as lucrative targets. Even a small number of successful credential stuffing attacks can yield hundreds of thousands to millions of validated credentials. Automated attacks using modern bots can hammer bank websites with rapid-fire log-in attempts. These attackers can also disguise their attacks by using hijacked live web browsers or proxies leveraging home broadband connections. Once the criminals gain unauthorized access to an account, they can quickly maximize their gains before fraud is suspected. Often, they convert stolen assets into untraceable cryptocurrencies or move cash to jurisdictions where enforcement is light.

Banks are reluctant to enforce the use of captchas and multi-factor authentication because it can frustrate customers who want easy access to their banking information. While both security measures reduce the risk of credential stuffing, MFA and captchas can (Read more...)

*** This is a Security Bloggers Network syndicated blog from PerimeterX Blog authored by PerimeterX Blog. Read the original post at: