(If You Think Multi-Factor Authentication Prevents Credential Stuffing, Think Again!)
Financial services firms around the world are experiencing credential stuffing attacks at an alarming rate. Cybercriminals are using readily available automation tools, botnets, and compromised account credentials to mount increasingly sophisticated and stealthy attacks. Many businesses are using multi-factor authentication (MFA) to strengthen access security and combat credential theft. While useful and necessary, MFA does not necessarily prevent credential stuffing. Once a savvy attacker identifies a legitimate user ID and password combination, they almost always seek other ways to access accounts and commit crimes.
Many financial services firms are taking additional measures to combat credential stuffing, using advanced bot management solutions to detect and stop bad actors in their tracks before they gain access to applications or critical systems. In this blog, I'll explain how credential stuffing works and provide some tips for defending against it.
What Is Credential Stuffing?
Credential stuffing is a common form of cyberattack where bad actors use automated systems and compromised login credentials to gain access to online accounts. The basic premise behind credential stuffing is that victims often use the same user ID/password combination for many online accounts. So if a cybercriminal gets hold of your Amazon user ID and password, and you happen to use the same combination for online banking, they can now syphon money out of your savings account. Criminals can use open-source automation tools to attempt thousands and thousands of stolen credentials against thousands and thousands of websites, knowing the chances are pretty good they will eventually strike gold.
A thriving underground economy exists for buying, selling, and exploiting compromised account credentials. Billions of stolen credentials are available for purchase on the dark web. Free automation tools like Sentry MBA or SNIPR make it easy for bad actors to orchestrate logins and validate stolen credentials. And low-cost "botnet as a service" platforms enable criminals to carry out complex credential stuffing campaigns at scale.
Sentry MBA Makes It Easy to Orchestrate Credential Stuffing Attacks
Not surprisingly, financial services organizations are common targets for credential stuffing attacks. Bank accounts, credit card accounts, brokerage accounts, and payment apps are high-value targets. A 2019 Akamai State of the Internet report revealed about 6% of all credential stuffing attacks were aimed at financial services customers, as shown in the chart below. (While at first glance this might seem like a relatively low percentage, you need to put it into perspective by considering the total potential cost of a breach in the financial services industry, compared to other industries.) Over a 17-month period, Akamai detected over 3.5 million malicious login attempts against financial organizations!
Credential Stuffing Attacks Observed by Akamai (December 2017 - April 2019)
Cybercriminals also use credential stuffing to gain illegitimate access to APIs. A 2020 Akamai State of the Internet report showed attackers often target REST and SOAP endpoints that provide access to confidential data and services that bad actors can use to commit financial crimes. (The charts below show malicious login attempts detected by Akamai over a 24-month period. Attempts aimed at API endpoints are depicted in orange. The top chart represents all industries. The bottom chart zeroes in on the financial services sector.)
Malicious Login Attempts Observed by Akamai (December 2017 - November 2019)
Defending Against Credential Stuffing Attacks
Credential stuffing attacks can damage your firm's reputation and result in regulatory fines, legal payouts, and customer churn. They can also impair the performance of your website and online applications by overwhelming your infrastructure with bogus bot traffic. To make matters worse, attackers are always honing their techniques -- distributing login attempts across thousands of bots, using proxy servers, spreading out login attempts over time -- to evade detection.
Here are three tips to help defend against credential stuffing and mitigate risk.
Tip 1: Take a Fresh Look at Your Application and Website Login Pages
Many application and website designers unwittingly assist bad actors by inadvertently confirming user IDs or other information that can be used to mount an attack. For example, a cybercriminal may try to log in to an account using an unverified user ID and password. If the web app returns an error message indicating the password is incorrect, the criminal can assume the user ID is valid and use brute-force password-cracking methods or other mechanisms to gain access to the account.
Reexamine your authentication workflows and login screens to make sure you are not making things easier for the bad guys.
Tip 2: Augment Multi-Factor Authentication Solutions
Multi-factor authentication solutions can help prevent unauthorized access to financial services applications if a cybercriminal gets their hands on valid login credentials. MFA is beneficial, but it does not always prevent credential stuffing. On the contrary, MFA can actually help attackers.
With many MFA implementations, users first enter a user ID and password combination, and then are prompted to enter another piece of evidence like a code sent via email or SMS. A bad actor can exploit MFA to verify a user ID/password combination (most MFA solutions validate the user ID/password combination before generating the challenge code). With the user ID/password confirmed, the perpetrator can target the victim directly via a spear-phishing attack, sell the validated credentials on the dark web, or attempt some other malicious act. For comprehensive protection, introduce a multilayered, defense-in-depth security architecture, combining MFA with other safeguards. Also make sure an attacker cannot uncover valid credentials by interrogating the web server's response.
Tip 3: Implement a Bot Management Solution for Ultimate Protection
For ultimate protection against credential stuffing, deploy a network-based bot management solution as part of a multilayered security implementation. Bad actors rely on distributed botnets to carry out complex credential stuffing attacks. Bot management solutions detect and control illegitimate bot traffic at the network edge, blocking attackers before they can get to your applications or overwhelm your infrastructure. Best-of-breed bot management platforms use artificial intelligence and machine learning to detect and thwart advanced credential stuffing attacks.
Cybercriminals are carrying out sophisticated credential stuffing attacks to take over financial services accounts, steal confidential data, and make fraudulent transactions. You can fight back by taking a fresh look at your authentication workflows and implementing a multilayered security architecture that includes a robust bot management platform. Leading bot management solutions like Akamai Bot Manager detect and stop sophisticated credential stuffing bots at the edge, before they get to your applications or data center. The Akamai solution uses machine learning and behavioral analysis to intelligently identify and deflect credential stuffing attacks without impairing legitimate bot traffic. Bot Manager is built on the Akamai Intelligent Edge Platform with more than 280,000 servers around the world for global scalability and performance. The solution manages over 560 million bot requests per hour, providing unmatched visibility into the ever-evolving bot landscape.
To learn more about mitigating credential stuffing attacks, please watch the webinar I conducted with my colleague Hamish Rose.