Credential stuffing: What banks need to know

Billions of usernames and passwords are available on the black market, and this number is only growing as several new data breaches are publicly reported each day. This has led to a rapid increase in the latest approach used by fraudsters to steal money from online banking accounts – credential stuffing.

Credential stuffing attacks start when credentials are exposed as part of a data breach. An attacker purchases or steals a massive file that contains millions of logins and passwords. The credentials can be from anywhere because customers often reuse usernames and passwords across multiple sites.

Cybersecurity firm F5 reported earlier this year that credential stuffing and brute-force account takeover attacks now make up more than 40 percent of all security incidents. Attackers use bots that simultaneously attempt many logins to the online or mobile banking service from different IP addresses. This type of attack can circumvent simple security measures like banning IP addresses or browser clients with too many failed logins.

The larger the institution, the higher the risk because credential stuffing is all about probability: the more accounts at an institution, the more likely some breached credentials are valid. These attacks are easy and cheap to run, and as more protected information is exposed by data breaches, they become more frequent and successful.

There are a few things banks can do to help identify credential stuffing fraud. The first and most common way to mitigate these attacks is to use technology like ReCaptcha to identify bots that are attempting logins. Banks can also use AI and machine learning to identify patterns in customers’ behavior when they log in. Once a potential risk is identified, extra layers of security can be deployed to help stop fraud before it truly starts.

Machine learning is particularly useful because it safeguards customers without sacrificing their experience. The best tools run in the background and only ask for extra authentication when they detect something suspicious. Solutions like this are easy to implement, so they can have a huge impact with low effort from the bank and customer.

Responding to a credential stuffing attack

Even when you know an attack is occurring, your customer is often the first to know their particular account has been targeted. This means one key to stopping fraud is empowering customers to protect themselves.

I recently had an online account attacked by credential stuffing. I got an email alert that someone had logged into my account from Vietnam — but there was nothing I could do about it. I found myself in a race with the fraudster to change my password, but they were already minutes ahead of me.

It’s important to allow users to disable their account as soon as they get a suspicious login alert. This pauses the race against the fraudster, stops further losses and lets your customer call you to sort things out.

Another way to help customers defend themselves is to offer services that check passwords against the same lists of breached credentials that hackers use. Studies on password reuse usually conclude two things: almost everyone knows not reuse passwords, and almost everyone does it anyway. If you tell customers their specific password choice is risky, they are much more likely to choose credentials that are secure.

Communicating more openly about data security and breaches also keeps customers safe. Telling customers about breached credentials is sensitive – customers are often upset and blame the bank, even though the bank was unconnected to the breach. The best tools give you a spectrum of options here: from simply informing customers that they are reusing passwords to adding extra layers of authentication or requiring they pick a safer password. Being open and honest that customers may be at risk is difficult, but when done right, your openness can ultimately keep customer accounts – and the bank itself – safe.

Fraudsters are getting more savvy, but banks are, too. Banks do not need to be perfect to prevent most fraud. Instead of trying to block every shot, they just need to present a smaller target. And when customers are equipped and empowered to protect themselves, both banks and customers win.

Will Raymer is vice president of product at Access Softek.

Subscribe to the BAI Banking Strategies newsletter and podcast.