Credential Stuffing and Account Takeover Attacks Continue to Rise

Cyber attackers have found credential stuffing attacks and account takeovers (ATOs) to be a highly effective, highly scalable way to commit fraud against organizations in the financial services industry, as well as for other types of digital merchants.

That’s according to a new study published by Aberdeen Strategy & Research for PerimeterX titled Quantifying the Impact of Credential Stuffing and Account Takeovers in Financial Services, which quantifies the risk of automated fraud for these organizations.

In an ATO attack, cybercriminals take unauthorized ownership of online accounts using stolen usernames and passwords. This is relatively simple, because users don’t change passwords often, and they reuse login credentials across multiple sites. Attackers typically buy a list of credentials on the dark web—often obtained from previous data breaches, social engineering and phishing attacks—and launch an army of bots across financial institution and retailer websites to test username and password combinations on login screens. Attackers can break into authentication login pages on websites, mobile sites and native mobile app APIs. In the end, they get a list of validated credentials they can profit from by abusing the account or by selling the validated credentials to others. These attacks result in account fraud and a form of identity theft.

Credential stuffing is the automated injection of stolen username/password pairs into website login forms, in order to fraudulently gain access to user accounts. Again, due to username and password reuse, when those credentials are exposed by a database breach or phishing attack, for example, submitting those sets of stolen credentials into dozens or hundreds of other sites can allow an attacker to compromise those accounts too.

From the perspective of financially motivated attackers, there are three obvious reasons why credential stuffing and ATO attacks against organizations in the financial services industry represent such a rich opportunity:

• Credential stuffing attacks are an effective, brute-force way for attackers to exploit weak or compromised digital credentials and gain unauthorized access to user accounts.
• Credential stuffing attacks have become significantly easier for attackers to automate, at Internet speed and scale.
• Financially motivated attackers are making successful account takeovers pay off, in several ways.

From the defender’s perspective, the flip side of these same reasons are why organizations in the financial services industry are being forced to pay closer attention to credential stuffing and ATOs. Digital credentials are central to the way they manage the long-term, account-based relationships with their digital customers. Bot-driven credential stuffing attacks are prevalent, and growing. The financial consequences of successful account takeovers—both direct, and indirect—highlighted in the Aberdeen Group report include:

• Financial consequences have grown to a level that goes beyond a mere “cost of doing business,” to become a material business risk.
• To address the issue of credential stuffing and account takeovers, organizations in the financial services industry are about three times more likely to invest in fighting malicious bots than to take steps to reduce weak passwords and password reuse.
• Advanced bot detection and mitigation services top the list of technical capabilities being adopted to combat automated credential stuffing attacks.

When respondents were asked about the direct consequences from attacks on their customer accounts, the survey found that:

• 45 percent experienced fraudulent transactions.
• 31 percent saw the creation of new accounts (e.g., credit applications).
• 24 percent reported transfer of funds or other fungible value, (e.g., loyalty points or rewards).

The cost of mobile and web-based fraud was reported as high as 8.3 percent of responding companies’ revenue. This cost includes chargebacks, add-on security services and damage to brand reputation and consumer trust that cause customer churn, slower growth and lower stock value.

As online banking and digital transactions continue to grow, organizations in the financial services industry must prioritize risk mitigation strategies to combat credential stuffing and ATO attacks. Advanced bot detection and mitigation solutions that leverage machine learning and behavioral analysis to continually improve detection accuracy effectively reduce the effectiveness of attacks. This allows businesses to put worrying about automated fraud behind them and focus on innovating and delivering value for their customers.

Some recommended steps to take include:

• Assess your risks and audit your exposure.
• Consider building a system to log attacks.
• Evaluate and consider technologies to proactively block attacks.
• Adopt modern solutions that leverage machine learning.

As we leave the holiday season, it is important to know that automated attacks such as credential stuffing and ATO attacks have no season. Every season is attack season. And daily attacks are higher than ever. It’s important to have a plan with solutions in place to enable vigilance throughout the year.