Credential Stuffing: Revising How We Manage Fraud and Cyber Post-COVID
July 21st, 2020
With all the COVID-19 headlines, it’s easy to miss the latest news on the old fraud favourite: credential stuffing. A recent survey by Atlas VPN showed the U.S. experiences 87 million credential stuffing attacks per day. What can we do to fight back?
What is credential stuffing?
As complex passwords are difficult to remember, users often reuse credentials across different websites. This means that any data breach could pose a risk for your organisation’s site. The attack takes the stolen credentials (username/email and password) and using automated tools, attempts to login to many accounts. The tools will try to mimic normal user behaviour and come from multiple IP addresses.
Without multi-factor authentication (MFA) in place, accounts can be breached and used for social engineering attacks or account takeover.
As we have seen with Zelle, fraudsters try to bypass MFA by enrolling apps and using social engineering or SIM swapping to get around this requirement. This can be exacerbated by aggregator apps and bots, so it’s important to separate out the requests and use MFA at registration.
Where banks have tools in place to detect this, it means customers are locked out of their accounts. When banks don’t have these tools, customers likely become victims of frauds.
Credential stuffing clearly creates a problem for consumers and banks alike. Consumers lose funds, which banks need to refund. But the problem is larger than this, as consumers and businesses lose confidence in new technologies, which can ideally save them money or time. This type of scam also adds to the cost of the financial ecosystem.
With more digital users than ever, and new channels to access accounts and make payments such as virtual assistants like Alexa and chatbots, and real-time payments, now is the time to revisit how to secure accounts from credential stuffing attacks and subsequent account takeovers.
Protecting Your Customers from Credential Stuffing
We are starting to see the need for fusion between cyber and fraud, and credential stuffing is one reason why. By bringing elements of each discipline together as part of a holistic response to customer security and fraud prevention, we can see important improvements in detection and prevention
This work needs to start with password policies and user education, all while assuming most users will continue their poor security habits. As an organisation, ensure you have sensible password strategies in place to hygiene out the most common passwords. The “123456” password is still used where it is allowed. Provide users with advice on how to set strong passwords and recommend using a password manager.
Password advice from the UK’s intelligence service, GCHQ, recommends against prompting regular password changing, as this can lead to even weaker password use. In addition, make sure your error messages don’t assist attackers by divulging if a password is wrong but a username is correct.
Next, integrate your authentication and fraud profiling together, scoring enrolments and logins as well as payments. This might be enrolment to Zelle, a bank app, digital wallet, FinTech or even an accountancy service. By feeding in all the relevant events, such as enrolments and logins from all channels, normal customer patterns and profiles can be built. This allows for more friction, weighted to the risk of the event at hand. Doing this means that MFA can be directly linked to the level of risk, increasing security while allowing genuine customers through. This also means that high-risk attacks can be blocked at an earlier stage, rather than just creating more alerts.
Once that’s complete, enrich your fraud profiling system with data and intelligence, including credentials from internal and external intelligence sources. This can be expanded with additional relevant data and events, such as unsuccessful logins and password resets, or known bad IP addresses and devices.
The sharing of known bad data/intel in either closed or open networks, such as through collective intelligence, is gaining traction to work against the Organised Crime Groups (OCGs) that operate against FSOs.
This can be boosted by:
- Seed linked analysis to find fraud networks
- Providing the ability to hygiene through the customer lifecycle, preventing taking on or keeping known fraudsters by name or device. From a password point of view, this helps protect customers by preventing them from using weak passwords and force resetting passwords used in a leak with their username or email.
As ever, the customer is key here. Improved customer messaging could also be useful, such as notifications of new device logins, changes of details and also unsuccessful login attempts. With unsuccessful login messages, make sure that they include the information the customer needs to understand the issue, such as time and location data, or if they just typed the password incorrectly. Otherwise you may increase calls to your fraud line.
Another practice is to treat traffic from different channels in appropriate ways and keep them separate, such as blocking bots and scripts from human-only channels. For channels where automation is expected, such as an aggregator service, make sure these have an appropriate registration service. By then sharing data from the channels on failed logins and creating entity profiles around IP addresses and other data, high risk scenarios can be detected and dealt with efficiently within the fraud system. For example, this could include alerts created when high levels of activity from an IP address are detected. This then allows for the use of existing interdiction, automation and communication.
Employing these actions can help drive a more holistic approach to fighting credential stuffing. This means that credentials and customer logins are blocked where required, but genuine customer can go about their business.
The recent announcement by the U.S. Federal Reserve with its FraudClassifier Model, splits fraud into authorized and unauthorized fraud. By taking the approaches above, this helps reduce account takeover, part of the unauthorized fraud category, lowering losses for FSOs and reducing the impact on genuine customers.
Credential stuffing may not make the headlines as much as scams like business email compromise, but it is impacting FSOs and customers. By bringing together cyber and fraud, we can take the necessary steps to manage this fraud more effectively.