Since 2017, nearly 50,000 accounts associated with banks, financial services provider, insurance companies, and investment firms have been compromised through a practice known as credential stuffing. This dangerous attack is perpetrated by bad actors posing as legitimate account holders and bank employees. The fraudster impersonates a user, then gains access to sensitive information.

Unfortunately, the effects of credential stuffing aren’t limited to a single person whose account has been compromised. It causes devastating losses for businesses through system downtime and the resulting damage of stolen information. While this type of fraud is gaining momentum in the criminal sphere, there are certain steps you can take to safeguard your institution from attack.

Peeling Back the Curtain

To learn how to stop these fraudsters and prevent credential stuffing, it’s important to understand what goes on behind the scenes of these attacks. This begs the question: what is credential stuffing?

Credential stuffing attacks begin with a collection of data. Namely, fraudsters harvest the identities of people across different platforms, including corporate websites, social media, and the dark web.

Once they compile a list of vulnerable personas, they test their credentials for authentication by using automated tools and distributed login attempts. If successful, they manage to gain access to an account and take it over. The fraudster can then collect personally-identifiable information (PII).

The final part of the process is list stuffing. This refers to the creation of a list filled with credentials and PII, to be used for future login attempts.

The reported attacks of credential stuffing are alarming, as they stretch into the billions. While there is still not a high rate of actual success, the use of botnets by cyber criminals allows for attempts on a massive scale. They can target multiple accounts within a short timeframe, which makes it that much more difficult to protect against.

Understanding the Risk

Credential stuffing attacks represented the biggest threat to the financial sector between 2017 and 2019. On average, affected businesses are losing $6 million per year, and fraudsters show no sign of slowing down. New methods for fraudsters to trick their way into accounts by using botnets emerge every day.

Customers and employees using the same email and password combination across multiple online accounts are especially susceptible to attack. Once a fraudster gains access to one account, the fraudster then has the ability to multiply the damage by logging in across multiple sites. They have free reign to abuse credit card or loyalty programs, commit identify fraud, or make fraudulent transactions.

We can’t overstate the severity of credential stuffing. It’s important that businesses take the threat seriously and do their part to maintain the integrity of online accounts and prevent sensitive information from being stolen.

Taking a Stand to Protect your Business

Credential stuffing is often mixed up with another fraud tactic, the distributed denial-of-service (DDoS). However,you can recognize credential stuffing by two specific indicators: an unusually-large number of failed logins from multiple IP addresses, and an increase in lockout rates.

We recommend a multifaceted approach to protect your company from this threat. Communication is essential in ensuring that you equip all staff members to handle the situation. The following tips are several of the most important areas to consider when it comes to creating a strong defense.

1. Monitor accounts: Institutions must always be on the lookout for activity revealing unauthorized access, and to be prepared to launch immediate action.
2. Encourage strong and unique passwords: Both customers and employees should implement this advice. Each site should have a different password and be changed regularly. In the event that you detect fraudulent activity, usernames and passwords should be updated immediately.
3. Update company policies: The owner of an account should be contacted immediately to verify any changes the moment they are made. A process needs to be set in place for the creation of account information, especially for banks, insurance, and trading accounts.
4. Use of detection tools: Detection tools can be implemented to monitor increased traffic, as well as failed authentication attempts. Both of these are signs of possible fraudulent activity.

The Bottom Line

Credential stuffing has the potential to cause crippling damage to your business. It could compromise the integrity of clients’ accounts, as well as your reputation. It’s essential that you take the threat seriously.

We strongly recommend that you follow all safety protocols to protect customer and employee information from being stolen, accessed, and fraudulently used. Bad actors are working hard to undermine and cheat the system, and they develop new tactics constantly. In response, it’s important for you to remain vigilant.