Fraud Prevention

Credential Stuffing Attacks Ramp Up Against Financial Institutions

October 28, 20205 min Read

In credential stuffing attacks, fraudsters use stolen username and password combinations to test the validity of these credentials and then use them to gain unauthorized access to genuine user accounts. Attackers use automation to scale up their attempts and maximize the returns. The financial services sector is particularly attractive for such attacks, as the returns are far more lucrative than any other industry.

The Federal Bureau of Investigation (FBI) has observed that the financial services sector in the US has seen a rise in credential stuffing attacks, which account for 41% of all the security incidents affecting the sector between 2017 and 2019. The FBI further notes that businesses lose an average of $6 million per year to credential stuffing attacks. These losses do not even include the costs associated with these attacks—which include remediation and notifying customers—apart from customer churn, downtime, and damage to brand image.

Data breaches and reuse of username-password combinations fuel credential stuffing attacks

Fraudsters are in the business of crime to extract maximum economic returns with the smallest investment possible. Because most credential stuffing attacks have low success rates, attackers use bots to achieve scale.

credential stuffing

A breach of any site’s data provides attackers with username-password combinations which attackers rightly assume may be used on other sites. Fed with these “combo lists”, thousands of automated login attempts made in a short window of time allow attackers to validate huge volumes of these username-password combinations. These then are used for criminal activities such as account takeover, opening fake new accounts, attacking APIs, payment fraud, money laundering, phishing, spam and so forth.

Attackers today are able to launch strategic credential stuffing attacks with far more verified data than ever before. Frequent data breaches replenish the attackers' databases. Because users register the same username-password combinations across multiple online services, attackers compromise many accounts. These compromised accounts are then exploited not just to drain the funds they contain, but also to abuse loyalty points, open new lines of credit, steal saved passwords, commit payment fraud and many other sinister crimes.

It's a tightrope walk for financial institutions

The financial services sector is in the middle of a tech-enabled disruption. Financial institutions—both traditional and fintechs—are trying to offer innovative services and products to their customers. In addition, they are obliged to protect the customers' money and their trust. They must also comply with all of the prevailing regulations.

Recommended Event: Bankrupting Fraud Virtual Summit

Financial institutions cannot afford to let credential stuffing attacks go undetected as -- apart from fueling numerous downstream frauds -- these attacks cause monetary and reputational losses. They also lead to compromising the privacy of customer data, which results in non-compliance with mandatory regulations and causes customer dissatisfaction. As a result, financial institutions are currently making every effort to balance fraud management with frictionless user experience.

Attackers take advantage of this situation and use tech-enabled tools to fool these defense mechanisms. They deploy advanced bots that mimic human behavior to bypass authentication that requires human interaction.

Adopt an effective approach to fight online abuse

The key to tackling credential stuffing attacks is to accurately identify attack telltales and deploy the appropriate countermeasures. That said, traditional approaches cannot provide the highest levels of protection that financial institutions need to adequately protect the interests of their business and the customers. Instead, they end up introducing unnecessary friction for authentic users, which only frustrates them and degrades the user experience.

Arkose Labs adopts an out-of-the-box approach that enables financial institutions to thwart credential stuffing attempts while ensuring a seamless digital experience for authentic users. Arkose Labs moves the attack surface away from the business network and shields it from online abuse. This removes the burden from the security and fraud teams and allows them to focus on core business activitie.

Targeted friction eliminates abuse and safeguards user interests

The Arkose Bot Manager platform does not block any user. Instead, it triages the incoming traffic, grades users according to their risk levels, and uses targeted friction against suspicious users. The dynamic risk engine analyzes hundreds of parameters to assess the risk level for each user and informs the intelligent challenge-response mechanism to present context-based Arkose MatchKey challenges to a user.

Practical Steps to Eliminating Account Takeover Attacks in Banks and Fintechs
Practical Steps to Eliminating Account Takeover Attacks in Banks and Fintechs

Authentic users may pass through unchallenged, while the few that do come across a challenge clear them easily. Bots and automated scripts, meanwhile, fail instantly when they encounter a challenge. This is because the 3D-rendered images in Arkose MatchKey challenges are trained against advanced machine vision technology to make them resilient to the most advanced bots. The 100% SLA guarantee against automated attacks is testimony to this. Further, the insights from real-time user sessions are fed into the risk engine, which helps continuously improve future predictions and adapt to the evolving attack tactics.

To learn how Arkose Labs helps global financial institutions fight credential stuffing attacks and protect their customers' privacy, schedule a demo now.