ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
Home Compliance and Risk

What Banks Need to Know About Credential Stuffing and How to Stop It

May 17, 2021
Reading Time: 5 mins read
What Banks Need to Know About Credential Stuffing and How to Stop It

By Kim DeCarlis

Digital banking has soared during the pandemic. According to research by BAI, 52 percent of people have increased their use of digital banking services. That rate jumps to 70 percent for millennials.

Banks are reporting record high usage of digital deposit and other online services. With the rapid increase in digital activity has come more credential-stuffing attacks. Credential stuffing is the automated use of usernames and passwords, collected by hackers in data breaches, in order to gain fraudulent access to user accounts. In the fall of 2020, both the Securities and Exchange Commission and the Federal Bureau of Investigation issued credential-stuffing warnings to financial services firms.

The FBI reports that credential-stuffing attacks accounted for the greatest volume of security incidents against the financial sector from 2017 through 2019 at 41 percent of total incidents. Other studies showed criminals were more likely to try leaked or stolen username and password combinations on bank sites than any other type of site.

Cyber criminals see banks as lucrative targets. Even a small number of successful credential stuffing attacks can yield hundreds of thousands to millions of validated credentials. Automated attacks using modern bots can hammer bank websites with rapid-fire log-in attempts. These attackers can also disguise their attacks by using hijacked live web browsers or proxies leveraging home broadband connections. Once the criminals gain unauthorized access to an account, they can quickly maximize their gains before fraud is suspected. Often, they convert stolen assets into untraceable cryptocurrencies or move cash to jurisdictions where enforcement is light.

Banks are reluctant to enforce the use of captchas and multi-factor authentication because it can frustrate customers who want easy access to their banking information. While both security measures reduce the risk of credential stuffing, MFA and captchas can create user friction, increasing abandonment and negatively impacting customer experience. Providing a seamless experience for account holders is top of mind for banks as they face growing competition from other banks and fintech companies with streamlined, mobile-native user experiences.

FBI and SEC recommendations and beyond

Because credential stuffing is a business logic attack, it bypasses most traditional cybersecurity tools, such as firewalls or malware detection. In their alerts, the FBI and SEC provided a list of recommendations to prevent or respond to credential stuffing attacks. The list includes a host of commonly known suggestions such as asking customers to use unique passwords and notifying customers when changes are made to their accounts.

Beyond these basic steps, the bulletins cite three primary technologies to block automated credential stuffing attacks. The first is to ask the user to provide additional information using MFA or captcha. The second is to look for specific signatures common to credential stuffing attacks. The third approach is to identify behaviors likely to indicate credential stuffing and either block those users or route them through additional security measures (such as challenges).

Multi-factor authentication reduces risk by requesting verification of personal customer information that a criminal cannot easily access, particularly effective at blocking brute force attacks that try to guess large sets of stolen credential combinations. Although MFA is a commonly used method, it creates friction. This can discourage and frustrate users—particularly those who are less tech-savvy. Credential-stuffing attacks that are blocked by MFA can also result in elevated customer lockouts. These lockouts can further frustrate customers and add extra burden for support teams. Further, criminals can intercept MFA (SMS or email) for higher-value targets, so MFA is not a guaranteed solution.

A captcha or other type of challenge may be required when a high-value or high-risk action is invoked. For example, challenges like captcha may be required when a customer is sending money to an unknown external account. Unfortunately, cybercriminals can now easily solve captchas and other challenges via third-party “captcha farms,” where humans receive and solve the captcha before handing that attack flow back over to bots. Companies such as 2Captcha offer to solve 1,000 captchas for less than a dollar. Artificial intelligence systems are now capable of solving many types of captchas and challenges. All too often, captchas prove hard for humans to solve, forcing people to try multiple times to solve the puzzle. Transaction abandonment is a common result of captcha frustration.

A more advanced and systemic approach to blocking credential stuffing is to look for “fingerprints” of an attack. Application security teams can set up alerts for conditions such as spikes in log-n page traffic, spikes in failed logins, spikes in password changes and spikes in log-ins from unusual geographies or at unusual times of day. Security teams can then filter out the suspicious traffic.

While still useful, this approach is no longer effective when used in isolation. Sophisticated attackers know how to hide their attacks from any of these filter conditions. They might deploy “low-and-slow” attacks that spread out request volumes across time and IP addresses to hide increases in page traffic or failed logins. They also use agent-based attacks that hijack legitimate browsers and IP addresses in the country where the bank is located. These tactics make basic fingerprinting and attack signature flagging less reliable.

The third and most sophisticated method for blocking credential stuffing attacks is to use behavior-based detection and blocking. This goes beyond just signature-based approaches. Behavior-based detection uses advanced machine learning techniques and iterative feedback loops to build predictive models that can proactively block a wide range of automated attacks that would pass through signature detection.

Behavior-based approaches go beyond the “declarative” identifiers that the SEC and FBI specify as part of fingerprinting. They look for patterns in network data, client-side device and user data (screen resolution, rendering engines) and user interaction events to spot qualitative and quantitative differences between bots and live human users, to name a handful of data types. Behavior-based detection can factor in hundreds of elements and see patterns where human operators would not. Accurate real-time behavior-based detection can learn on the fly, constantly updating its models. This allows banks to automatically reject the overwhelming influx of traffic from unauthorized bots.

Banks need a multi-layered security approach

Credential stuffing is becoming a growing challenge. Cybercriminal gangs are growing more sophisticated. Criminals are seeing seven-figure paydays from successful attacks and banks are reluctant to implement security measures that can create friction in the customer’s experience.

This makes banks one of the largest targets in the credential-stuffing landscape. In addition to upsetting customers when their accounts are hacked and enduring direct and indirect losses from a successful attack, banks also risk financial sanctions, if they fail to live up to the level of security diligence mandated by new privacy laws such as the California Consumer Privacy Act and Europe’s General Data Protection Regulation. Fighting credential stuffing requires planning and coordination across security, fraud, technology and customer experience teams. Implementing multiple layers of defense is essential and banks that do so thoughtfully will succeed in safeguarding their customers, reputations and overall business.

Kim DeCarlis is CMO at PerimeterX, which provides modern web application security solutions that safeguard digital businesses in retail e-commerce from malicious activities.

Tags: Cyber crimeCybersecurityDigital bankingFinancial crimesMobile banking
ShareTweetPin

Related Posts

ABA: OCC should revise proposed changes to bank merger application process

ABA: OCC policy changes create uncertainty about minority deposit institution status

Community Banking
July 17, 2026

In a new letter, ABA cited several concerns about the OCC’s recent revisions to its standards for designating minority deposit institutions, saying the changes create uncertainty for institutions seeking to qualify or maintain MDI designation.

ABA, associations propose improvements to federal data privacy law

Banking agencies promise new approach for handling sensitive information

Compliance and Risk
July 16, 2026

The Federal Reserve, FDIC and OCC announced a “coordinated approach” for handling sensitive information used in bank examinations, including a new pledge to notify banks about data breaches that threaten to expose that information.

AI’s rapid rise compels smart risk management for banks

Risk and compliance as strategic growth partners

Compliance and Risk
July 16, 2026

Risk leaders must build relationships, credibility and trust at the bank so their input is valued.

Vought calls for more CFPB oversight, says open banking proposal coming soon

Vought calls for more CFPB oversight, says open banking proposal coming soon

Compliance and Risk
July 15, 2026

Congress should enact legislation to better define “unfair, deceptive, or abusive acts or practices” to avoid abuses by future regulators, and to fund the CFPB through congressional appropriation to make it more responsive to elected officials, CFPB Acting...

ABA urges FCC to modernize calling rules, strengthen fraud protections

ABA expresses support for strengthening FCC’s Robocall Mitigation Database

Compliance and Risk
July 15, 2026

ABA expressed support for the Federal Communications Commission’s draft proposal to strengthen the Robocall Mitigation Database in a letter sent in advance of a vote on issuing the proposal.

Trump orders creation of AI ‘action plan’

White House announces cybersecurity clearinghouse for software patches

Compliance and Risk
July 15, 2026

The White House has announced a cybersecurity “clearinghouse” that would coordinate scanning for software vulnerabilities and the distribution of vulnerability patches.

NEWSBYTES

ABA: OCC policy changes create uncertainty about minority deposit institution status

July 17, 2026

Banking agencies promise new approach for handling sensitive information

July 16, 2026

ABA, state bankers associations urge House leaders to support Main Street Capital Access Act

July 16, 2026

SPONSORED CONTENT

Why Your Systems Keep Slowing Down — and What to Do About It

Examiners Are Now Looking at Your Non-Core Systems

June 11, 2026
Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

June 1, 2026
A Modern Blueprint for Serving High-Net-Worth Families

A Modern Blueprint for Serving High-Net-Worth Families

May 28, 2026
Why Your Systems Keep Slowing Down — and What to Do About It

AI Is in Your Bank. Is Your Cloud Contract Governing It?

May 20, 2026

PODCASTS

Podcast: Understanding the 2025 Home Mortgage Disclosure Act data

July 8, 2026

Podcast: Financing America’s independence

June 29, 2026

Podcast: Talent and innovation in community banking

June 18, 2026

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2026 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2026 American Bankers Association. All rights reserved.