What's working, what's not in banks' battle against 'credential stuffing'

"Credential stuffing," in which hackers take stolen usernames and passwords from one site and attempt to use it on another, is becoming a bigger problem for banks.

It's the likely culprit behind a hack of HSBC's online banking unit last month, in which less than 1% of users were targeted. And the security company Akamai said there were 8.35 billion credential stuffing attempts against its clients between May and June of this year.

Banks are a top target for this type of attempted infiltration. Shape Security recently estimated that the U.S. consumer banking industry faces nearly $50 million a day in potential losses from credential stuffing attacks.

Credential stuffing

But it's also a struggle for banks to combat it, since part of the problem is that customers are reusing their passwords from other sites.

Following is a look at how financial institutions are trying to stop credential stuffing — and how effective those defenses are.

Asking customers not to reuse passwords

Arguably the most attempted but least successful defense is trying to get consumers to change their password habits.

"Most users want things to be easy, which is why they tend to reuse the same password over and over again," said Greg Temm, chief information risk officer at the FS-ISAC. "To help remedy this, there are some ways to make this easier. Some smartphones have security features that can help them not reuse their passwords across websites, but also safely store the passwords they do use. This is likely to be standard in the not so distant future."

CAPTCHA

An acronym for Completely Automated Public Turing test to tell Computers and Humans Apart, CAPTCHA uses visual images and a challenge-response test to determine if a logon attempt is being made by a human or a bot. This can help detect credential stuffing malware.

Most credential stuffing attacks are automated, so any attempt to distinguish human behavior from malware is a good idea. But CAPTCHA has been around a long time, and bots have been taught to solve CAPTCHA better and more quickly than human beings.

Also, not all bots are malware. Overall, about 40% of internet traffic comes from bots and some are good. Some monitor website performance and availability. Some are run by financial aggregators that use automated tools to screen-scrape bank account data. Unless a bank has banned an aggregator for some reason or the aggregator is flooding the site with traffic outside of agreed-upon windows, this is legitimate traffic that banks whitelist. These bots also generally know how to navigate CAPTCHA.

But analysts at Shape Security have found that criminals have started exploiting aggregators to perform credential stuffing attacks, according to a recent report from Shape.

“The attacker, instead of going directly to the financial institution’s website to test credentials, goes to the aggregator’s website and signs up for accounts using the stolen credentials," the report says. "The aggregator then attempts to log in to the financial institution’s website using those credentials. The aggregator then will provide the attacker feedback as to whether those credentials were valid or not. At the end of this third-party credential stuffing attack, an attacker will have a list of validated banking credentials that can be used for manual account takeover on the banking site.”

Multifactor authentication

This is the most obvious answer — require users to provide something more than a username and password to access online banking, something hackers can’t easily obtain (unlike the answers to challenge questions, which they can).

However, out-of-band text messages, the preferred method of multifactor authentication for most banks, can be compromised. And if a bank makes login too difficult for legitimate customers, they may grow restive. Temm noted that advances in biometrics are making the inconvenience factor less of a problem.

But most banks that offer multifactor authentication have it as an option, not a requirement.

Distributed denial-of-service mitigation technology

Sometimes credential stuffing takes the form of a tidal wave of traffic that looks like a DDoS attack.

Some banks leverage existing DDoS mitigation technology to identify and block this traffic, said Al Pascual, head of fraud and security at Javelin Strategy & Research.

“But the cadence of this traffic, not to mention volume, can look very different than DDoS, making that approach less than ideal,” he said.

Account aggregator traffic can also look like a DDoS attack, further confusing the DDoS mitigators.

Credential stuffing prevention software

Akamai and Shape Security are among the companies that have software specifically trained to prevent credential stuffing.

Akamai’s software sends a piece of Javascript into the browser being used to attempt to access a website, such as an online banking site. That code gathers information about the user’s behavior that Akamai’s software analyzes to see whether it falls within the range of normal human behavior.

The software is constantly being fine-tuned.

“It’s a chess match between the attacker and the defender; advances made on one side trigger advances made on the other,” said Patrick Sullivan, senior director, security technology and strategy at Akamai. “Years ago, bots would be really noisy and coming from a small number of IP addresses,” so they were easy to identify and block with a firewall.

Attackers then started leveraging proxy servers to reduce the number of requests per IP address, making them much harder to spot.

Akamai built a bot manager that tries to understand all the bots out there. It tracks 1,200 different botnets; many are run by financial data aggregators.

Then, using software it acquired with its purchase of Cyberfend, it began looking more closely at users’ behavior at login — the cadence of key presses, the movements of the mouse, taps on a phone — and comparing those to interactions it’s already seen to determine if the user is human or machine.

“It’s pretty hard for an adversary to model the imperfect way humans function,” Sullivan said. “We’re not truly random, we’re also not truly robotic. As we navigate across the screen, we don’t do it perfectly. Human beings tend to have acceleration, deceleration; we don’t navigate exactly to the username bar.”

Being deceptive

Sullivan noted that when a bank detects a malicious bot doing credential stuffing, it should not let on about it. Instead it could send a failed login page that indicates that the attack went through but that that set of credentials doesn’t exist in the bank’s database, even though they do.

“These fraudsters are extremely adaptive,” he said. “So if they understand you’re blocking them, they immediately go to work reverse-engineering how they’re being detected. If you can be deceptive in your response to the attacker and not make it obvious that you’re on to them, that is a really important consideration.”

Editor at Large Penny Crosman welcomes feedback at penny.crosman@sourcemedia.com.

For reprint and licensing requests for this article, click here.
Cyber security Data security Cyber attacks Online banking Identity verification Mobile banking
MORE FROM AMERICAN BANKER