The reality of breaches is the amount of information available on the dark web. In 2016, hackers stole some three billion credentials, some of which they use in account takeovers.

The big security threat called credential stuffing is the use of automated means to test stolen logins/passwords en masse against other websites. The practice isn't new, but new sophisticated instruments are helping to fuel its growth.

A recent study from Mountain View, Calif. Shape Security, “2017 Credential Spill Report,” showed stuffing attacks resulted in $1 billion in attempted fraud in 2016 alone. In addition, credential-stuffing login attempts account for 90% of all logins in web and mobile applications. Hackers achieve a success rate of 0.1 to 2% when reusing stolen credentials to access other sites, according to Shape Security.

Mike Lynch, chief strategy officer of Boston-based device authentication and intelligence firm InAuth, said this is quickly becoming a critical issue in the security sector, yet few are talking about it. “I am hearing a lot about how companies are trying to battle it.”

The term credential theft is not new. Lynch explained attackers hack into a system to steal end-user login credentials: user IDs, email addresses, passwords. Or they phish users into credential theft. “I can't believe this many years later we're still talking about phishing, but it's still a huge issue.”

Lynch provided some of the newer terms used in relation to credential theft:

  • Credential stuffing. Fraudsters use bots to test stolen account credentials to access user accounts through large-scale automated login requests. “They want to validate that they have a good user name with potentially a good password.”
  • Password recycling. Using the same password against multiple online accounts.
  • Credential spilling. Fraudsters release massive amounts of user credentials onto the dark web. Sometimes it is free to build their own hacker résumé, or sometimes for profit.

The return for fraudsters depends on the value of credentials. “For 1 million stolen credentials, which these days is not that much, they might gain access to 10,000 accounts. If those are financial accounts, you have a lot of effects on the FIs,” Lynch said. He added, possible consequences include the hard-dollar costs in detecting the credential compromise, the aftermath cleanup, potential reputational damage, and response to inevitable customer queries.

Among the techniques hackers use to gain credential access are phishing and smishing (SMS based phishing), credential cracking with brute force, man in the middle attacks, and insider theft.

Fraudsters obtain financial institution credentials to sell to the highest bidder. Lynch held account logins for financial institutions have a longer shelf life and are getting a higher price from the dark web. “The most direct and obvious use of account takeover is transaction fraud,” Lynch said. With the financial institution, it is usually fraud against the consumers' account. “Fraudsters sometimes have this information for several years before it's even noticed it's been compromise or reported that it was compromised.”

Credit card numbers are lesser valued on the dark web because holders are pretty quickly notified of compromise and the issuer subsequently retires the cards.

Companies are now battling bots used to stuff credentials. Some signs bots are in play is through more traffic to the site, higher attempts to login, and more than usual login failure rates.

“They're using automation and technology to do things like credential cracking and the bots themselves create the malware and distribute it, Lynch said. “They are quite sophisticated.”

The theft of user credentials and their use in attacking other sites is now so widespread that it prompted precautions in the “Draft NIST Special Publication 800-63B Digital Identity Guidelines,” that online account systems check their users' passwords against known spilled credential lists.

Lynch suggested credit unions need to check the unique device, device fingerprinting, and malware detection. In addition, financial institutions should use behavioral analysis. He also recommended credit unions embrace new authentication techniques like biometrics. “The more financial institutions adopt biometrics the less credential compromise we will have.”

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).