What Banks Need to Know About Credential Stuffing and How to Stop It

By Kim DeCarlis

Digital banking has soared during the pandemic. According to research by BAI, 52 percent of people have increased their use of digital banking services. That rate jumps to 70 percent for millennials.

Banks are reporting record high usage of digital deposit and other online services. With the rapid increase in digital activity has come more credential-stuffing attacks. Credential stuffing is the automated use of usernames and passwords, collected by hackers in data breaches, in order to gain fraudulent access to user accounts. In the fall of 2020, both the Securities and Exchange Commission and the Federal Bureau of Investigation issued credential-stuffing warnings to financial services firms.

The FBI reports that credential-stuffing attacks accounted for the greatest volume of security incidents against the financial sector from 2017 through 2019 at 41 percent of total incidents. Other studies showed criminals were more likely to try leaked or stolen username and password combinations on bank sites than any other type of site.

Cyber criminals see banks as lucrative targets. Even a small number of successful credential stuffing attacks can yield hundreds of thousands to millions of validated credentials. Automated attacks using modern bots can hammer bank websites with rapid-fire log-in attempts. These attackers can also disguise their attacks by using hijacked live web browsers or proxies leveraging home broadband connections. Once the criminals gain unauthorized access to an account, they can quickly maximize their gains before fraud is suspected. Often, they convert stolen assets into untraceable cryptocurrencies or move cash to jurisdictions where enforcement is light.

Banks are reluctant to enforce the use of captchas and multi-factor authentication because it can frustrate customers who want easy access to their banking information. While both security measures reduce the risk of credential stuffing, MFA and captchas can create user friction, increasing abandonment and negatively impacting customer experience. Providing a seamless experience for account holders is top of mind for banks as they face growing competition from other banks and fintech companies with streamlined, mobile-native user experiences.

FBI and SEC recommendations and beyond

Because credential stuffing is a business logic attack, it bypasses most traditional cybersecurity tools, such as firewalls or malware detection. In their alerts, the FBI and SEC provided a list of recommendations to prevent or respond to credential stuffing attacks. The list includes a host of commonly known suggestions such as asking customers to use unique passwords and notifying customers when changes are made to their accounts.

Beyond these basic steps, the bulletins cite three primary technologies to block automated credential stuffing attacks. The first is to ask the user to provide additional information using MFA or captcha. The second is to look for specific signatures common to credential stuffing attacks. The third approach is to identify behaviors likely to indicate credential stuffing and either block those users or route them through additional security measures (such as challenges).

Multi-factor authentication reduces risk by requesting verification of personal customer information that a criminal cannot easily access, particularly effective at blocking brute force attacks that try to guess large sets of stolen credential combinations. Although MFA is a commonly used method, it creates friction. This can discourage and frustrate users—particularly those who are less tech-savvy. Credential-stuffing attacks that are blocked by MFA can also result in elevated customer lockouts. These lockouts can further frustrate customers and add extra burden for support teams. Further, criminals can intercept MFA (SMS or email) for higher-value targets, so MFA is not a guaranteed solution.

A captcha or other type of challenge may be required when a high-value or high-risk action is invoked. For example, challenges like captcha may be required when a customer is sending money to an unknown external account. Unfortunately, cybercriminals can now easily solve captchas and other challenges via third-party “captcha farms,” where humans receive and solve the captcha before handing that attack flow back over to bots. Companies such as 2Captcha offer to solve 1,000 captchas for less than a dollar. Artificial intelligence systems are now capable of solving many types of captchas and challenges. All too often, captchas prove hard for humans to solve, forcing people to try multiple times to solve the puzzle. Transaction abandonment is a common result of captcha frustration.

A more advanced and systemic approach to blocking credential stuffing is to look for “fingerprints” of an attack. Application security teams can set up alerts for conditions such as spikes in log-n page traffic, spikes in failed logins, spikes in password changes and spikes in log-ins from unusual geographies or at unusual times of day. Security teams can then filter out the suspicious traffic.

While still useful, this approach is no longer effective when used in isolation. Sophisticated attackers know how to hide their attacks from any of these filter conditions. They might deploy “low-and-slow” attacks that spread out request volumes across time and IP addresses to hide increases in page traffic or failed logins. They also use agent-based attacks that hijack legitimate browsers and IP addresses in the country where the bank is located. These tactics make basic fingerprinting and attack signature flagging less reliable.

The third and most sophisticated method for blocking credential stuffing attacks is to use behavior-based detection and blocking. This goes beyond just signature-based approaches. Behavior-based detection uses advanced machine learning techniques and iterative feedback loops to build predictive models that can proactively block a wide range of automated attacks that would pass through signature detection.

Behavior-based approaches go beyond the “declarative” identifiers that the SEC and FBI specify as part of fingerprinting. They look for patterns in network data, client-side device and user data (screen resolution, rendering engines) and user interaction events to spot qualitative and quantitative differences between bots and live human users, to name a handful of data types. Behavior-based detection can factor in hundreds of elements and see patterns where human operators would not. Accurate real-time behavior-based detection can learn on the fly, constantly updating its models. This allows banks to automatically reject the overwhelming influx of traffic from unauthorized bots.

Banks need a multi-layered security approach

Credential stuffing is becoming a growing challenge. Cybercriminal gangs are growing more sophisticated. Criminals are seeing seven-figure paydays from successful attacks and banks are reluctant to implement security measures that can create friction in the customer’s experience.

This makes banks one of the largest targets in the credential-stuffing landscape. In addition to upsetting customers when their accounts are hacked and enduring direct and indirect losses from a successful attack, banks also risk financial sanctions, if they fail to live up to the level of security diligence mandated by new privacy laws such as the California Consumer Privacy Act and Europe’s General Data Protection Regulation. Fighting credential stuffing requires planning and coordination across security, fraud, technology and customer experience teams. Implementing multiple layers of defense is essential and banks that do so thoughtfully will succeed in safeguarding their customers, reputations and overall business.

Kim DeCarlis is CMO at PerimeterX, which provides modern web application security solutions that safeguard digital businesses in retail e-commerce from malicious activities.