Credential stuffing attacks continue to be a grave concern for all organizations worldwide. However, for many Credit Unions and other financial institutions, they represent one of the most significant threats. They are a common cause of data breaches and are involved in some 76% of all security incidents. On average, our honey nets pretending to be Credit Union and other financial services experience targeted credential stuffing attacks several times per week. 

What Is Credential Stuffing?

“Credential stuffing occurs when hackers use stolen information, such as usernames and passwords from database breaches or phishing software from one account, and attempt to gain access to another. The hackers prey on people’s habit of using the same usernames and passwords for multiple sites. Using automated tools, they run large amounts of stolen information across multiple sites looking to find the same usernames and passwords being used elsewhere. Once they find a match, they can monetize the personal and financial information they gather.” (ardentcu.org)

How Common is Credential Stuffing?

Beyond our honey nets, which are completely fake environments used to study attackers, credential stuffing and the damage it causes is quite starteling. Here are some quick facts:

• It is estimated that automated credential-stuffing attempts makes up 90% of enterprise login traffic in the US. (securityboulevard.com)

• It’s estimated that credential stuffing costs companies more than $5 billion a year and creates havoc with consumers. (ardentcu.org)

• According to Akamai’s latest State of the Internet report on credential stuffing, its customers alone were deluged by 30 billion malicious login attempts between November 2017 and June this year, an average of 3.75 billion per month. (theregister.com)

• Significant credential stuffing attacks are a favorite of professional hacking groups from Russia, India, Asia and Africa. They often gather extensive lists of stolen and leaked credentials through advanced Google hacking techniques, by combing social media for password dumps (so called “credential spills”) and by purchasing lists of exposed credentials from other criminals on the dark web. Lists of member information from compromised online banking, online retailers and business association sites are common. This information often includes names, addresses, bank account numbers/credit card numbers, social security numbers, phone numbers and other sensitive data – enabling credential stuffing and social engineering attacks against victims around the world.

What Can Credit Unions Do About Credential Stuffing?

The key to handling this threat is to be able to prevent, or at the very least, identify illicit login attempts and automate actions in response to failed logins. Cybercriminals use a variety of tools, rented botnets (including specifically built credential stuffing bots) and brute force attacks to pick off less than strong passwords all around the Internet. Then, as we discussed above, they use that stolen information to probe your credit union for the same login credentials. 

The first, and easiest step, in reducing these cybercriminals’ success rate is to teach all of your legitimate users not to use the same password across multiple systems, and NEVER use passwords from public sites like Facebook, LinkedIn, Instagram, Pinterest or Twitter for example, as account credentials at work or on other important sites. Instead, suggest that they use a password manager application to make it simple to have different passwords for every site. Not only does this help make their passwords stronger, but it can even reduce support costs by reducing password reset requests. Ongoing security awareness is the key to helping them understand this issue and the significance their password choices have on the security of their own personal information and that of the company.

Next, the Credit Union should have a complete inventory of every remote login service, across their Internet presence. Every web application, email service, VPN or remote access portal and every single place that a cybercriminal could try or use their stolen credentials to gain an account takeover. Once, the Credit Union knows where login credentials can be used, they should go about preventing abuse and cyberattacks against those attack surfaces. 

The key to prevention should start with eliminating any Internet login capability that is not required. It should then progress to reducing the scope of each login surface by restricting the source IP addresses that can access that service, if possible. Often Credit Unions are able to restrict this access down to specific countries or geographic areas. While this is not an absolute defense, it does help to reduce the impacts of brute force attacks and botnet scans on the login surfaces. 

The single best control for any authentication mechanism, however, is multi factor authentication (MFA) (basically a form of secure access code provided to the user). Wheverever possible, this control should be used. While multi factor authentication can be difficult to implement on some services, it is widely available and a variety of products exist to support nearly every application and platform. Financial services should already be aware of MFA, since it has been widely regulated by FFIEC, NCUA and FDIC guidance for some time.

More and more, however, credential stuffing is being used against web mail, Office 365 and other email systems. This has become so common, that a subset of data breaches called Business Email Compromise now exists and is tracked separately by law enforcement. This form of unauthorized access has been wildly popular across the world and especially against the financial services of the United States. Compromised email addresses and the resulting wire transfer fraud and ACH fraud that stems from this form of credential theft/identity theft are among some of the highest financial impacts today. Additionally, they commonly lead to malware spread and ransomware infections, if the attacker can’t find a way to steal money or has already managed to do so.

No matter what login mechanism is being abused, even when MFA is in place, logging of both legitimate access and unauthorized access attempts is needed. In the event that a security breach does occur, this data is nearly invaluable to the forensics and investigation processes. Do keep in mind, that many default configurations of web services and cloud-based environments (like Office 365) have much of this logging disabled by default. 

While Credit Unions remain prime targets, having good prevention and detection are a key part of strong risk management against credential stuffing. Practicing incident response skills and business recovery via tabletop exercises and the like also go a long way to stengthening your security team’s capabilities.

How Can MicroSolved Help?

Our team (the oldest security firm in the midwest) has extensive experience with a variety of risk management and security controls, including helping Credit Unions inventory their attack surfaces, identify the best multi factor authentication system for their environment, create policies and processes for ensuring safe operations and performing assessments, configuration audits of devices/applications/cloud environments. 

We also scope and run custom tabletop exercises and help Credit Unions build better information security programs. Our team has extensive experience with business email compromise, wire/ACH/credit card fraud prevention, cybercriminal tactics and incident response, in the event that you discover that credential theft has occurred. 

Lastly, our ClawBack data leak detection platform, can help you watch for leaked credentials, find source code and scripts that might contain reuseable account credentials and even hunt down device configurations that can expose the entire network to easy compromise. 

You can learn more about all of our services, and our 28 years of information security thought leadership here.

Lastly, just reach out to us and get in touch here. We’d love to talk with your Credit Union and help you with any and all of these controls for protecting against credential stuffing attacks or any other cybersecurity issue.