Unraveling credential stuffing: A Q&A guide on understanding and preventing it
Recent data breaches have drawn attention to many different types of fraud. The recent announcement made by Roku TV about an identified breach affecting approximately 15,000 users has brought credential stuffing fraud to the forefront.
Credential stuffing is the automated insertion of stolen usernames and password pairs (together, a user’s credentials) into a website that also requires credentials to access personal account information. Because many organizations have similar requirements for user and password criteria, users will tend to use the same information for multiple accounts. Fraudsters use different tactics to expose credentials, including phishing and database breaches, at which point they submit these stolen credentials to gain access to potentially hundreds or thousands of other sites. In the Roku incident, fraudsters gathered different information from separate breaches that was then cross-referenced to piece credentials together.
When a fraudster attempts credential stuffing, they are committing a form of a brute force attack, which is when they try using multiple passwords against one or several accounts to guess the login information.
What is the impact of this form of breach?
Credential stuffing is one of the most common forms of account takeover fraud. It carries a high severity level and is dangerous to both consumers and businesses due to the reputational and financial losses that typically occur because of this type of breach.
What are the series of events that occur in these types of attacks?
The fraudster starts by gaining access to usernames and passwords from a breach, phishing attack, or a password dump site. They then use automated tools to test the stolen credentials against multiple websites. If the fraudster is successful, they now know they have a valid set of credentials.
Once credentials have been confirmed, the following could happen:
- The confirmed credentials are then used to drain stored value or to make purchases.
- Additional sensitive information, such as social security numbers, account numbers, birthdates, and other sensitive personally identifying information (PII), could be exposed.
- A fraudster could now use this information to send phishing or spam messages.
- Verified credentials could be sold to other attackers, leading to greater exposure.
How can I defend against credential stuffing?
Multifactor authentication (MFA) is the best defense against password-related attacks and should be implemented whenever possible. Members should be educated on the importance of using information someone wouldn’t already know, such as a unique, one-time passcode. Adding additional layers of authentication helps reduce losses, and some examples would include:
- Security questions
- Consumer-selected PIN numbers
- Secondary passwords
- Unpredictable user ID’s (avoid the use of email addresses as a valid user ID)
- One-time passwords sent via text, call, or email
- Biometric verification
- Magic links
What else can credit unions do to be proactive in preventing credential stuffing?
As an additional safeguard, provide login history to members when they access your systems. For example, when they log in to digital banking, provide the last attempted log in information for them to confirm the access was authorized.
Credit unions also can be diligent by promptly notifying members about unusual activity but be mindful to not generate so many notices that a member ignores them. Also be thoughtful in how members are contacted. You won’t want to use data that may have been compromised. For example, if an email address has been breached, verify the information you have on file to ensure you are not sending notices to breached accounts. If the email address on file has been compromised, use an alternative form of communication, such as text or phone call. Never ask for PII via phone or text, as this could cause the member to assume anyone asking for this information must be calling from the credit union.
Finally, monitor the number of requests for password changes. Multiple requests from the same user could be an indicator of credential stuffing.
