What You Need to Know About Credential Stuffing Attacks

What You Need to Know About Credential Stuffing Attacks

By Q2

10 Jun, 2020

By Bob Michaud, Chief Security Officer

Even as COVID-19 quarantine guidelines ease in most states, businesses and consumers continue to rely heavily on digital online services. A recent article from The Financial Brand illustrates consumers’ increasing preference for digital channels:

  • More than 45% of respondents indicated that they have permanently changed how they interact with their bank since COVID-19.
  • 31% of respondents will use online or mobile banking more in the future.
  • 31% will continue to use contactless or digital payments instead of checks or cash.

Hackers and fraudsters have taken notice. In a recent survey by Check Point and Dimensional Research, a whopping 95 percent of technology and security professionals agreed they are facing additional security challenges due to the pandemic, and 71 percent have seen an increase in threats or attacks since the outbreak started.

Credential stuffing is thriving

Credential stuffing is one of the easier attacks to perpetrate thanks to predictable human behaviors and an abundance of automated technologies that fraudsters can employ. The average person has more than 200 online accounts and only 8-10 unique passwords. What the fraudsters have figured out is that many of us duplicate user codes and passwords. So, it’s no surprise that as digital banking use increases, these attacks multiply.

A credential stuffing attack typically is a slow, methodical login approach that sometimes goes undetected against more traditional security detection measures. Fraudsters buy user codes and passwords from an illegal source for accounts such as Facebook or Google. Then they launch an attack against a customer’s bank account. An FI’s first indication of the attack is an increase in the number of lockouts of customers’ accounts because of invalid login attempts.

According to RSA, typical success rates for credential stuffing tools range from 0.5% to 3%; but a fraudster working with a million username-password-email combinations could potentially make thousands of successful matches that can then be used or sold very profitably.

Be careful about the company you keep

FIs need to take this risk seriously and align with partners that do too. Here at Q2, we’ve ensured our datacenter has high-security detection available at all times. Multiple monitoring tools and security alarms in our environment let us know we’re operating safely. Numerous validations occur to ensure our security center is always on alert, and with early threat detection, we inform our banks and credit unions right away if an attack is occurring.

Banks and credit unions can’t let up on prevention education either. Help accountholders understand what credential stuffing is and emphasize the need for unique passwords for each digital account, especially their financial accounts. Educate them on the benefit of multifactor authentication (MFA) and why MFA helps fight this type of attack. Caution them about sharing information on social media and give them tips on how to safeguard sensitive financial details when they open any online account.

Stay alert and informed

Consumers are relying more heavily on digital channels, enticing professional cybercriminals and everyday hackers to exercise their skill sets. Q2 is prepared for battle; visit our Security blogs for details on how we help FIs do the same.

For more information on credential stuffing, see:

Financial sector is seeing more credential stuffing than DDoS attacks

Credential Stuffing Breeds Fraud on a Grand Scale

Credential Stuffing Attack Prevention & Mitigation


Written by Q2