Cyberdefense firms claim headway against 'credential stuffing'

Those hoping to thwart the staggering number of automated cyber attacks on financial accounts have settled into a basic premise: Make it too costly for the fraudsters to succeed, and they'll move on.

The fight against credential stuffing, or the practice of taking stolen data from various breaches and trying to use them to break into accounts at banks and other companies by matching usernames and passwords for any number of accounts, has accelerated. In the past few years, it has become a crime of choice for fraudsters who use automated bot processes that don’t have a lot of overhead and can ultimately deliver significant revenue for fraud rings.

Security firms developing tools to fight credential stuffing are increasingly confident they can thwart the majority of attacks — so much so that one, Arkose Labs, is planning to put a warranty on its services.

"The issue historically with security vendors is that they are playing a game of 'whack a mole' and if they can stop 90% of the attacks, and only 10% get in, that is acceptable," said Kevin Gosschalk, Arkose's CEO. "Well, that 10% is enough to fund the whole fraudster credential stuffing operation, so the bad actors are still profiting and enough of the attacks are getting through."

If fraudsters generate a billion username-and-password combinations from stolen account data and begins "stuffing" those into login pages, they could end up with hundreds of thousands that successfully open accounts. And if a set of credentials works once, it is likely to work on other accounts.

"The largest use case for our platform is to mitigate credential stuffing attacks," Gosschalk said. "It is incredibly profitable for fraudsters and the cost to do it, if successful, generally provides a great return on investment."

The FBI's Cyber Division late last year warned U.S. financial institutions and business owners that it had received reports on credential stuffing attacks that led to nearly 50,000 account takeovers from 2017 through 2019. The FBI also cited credential stuffing as the most prolific attack method on the financial sector, accounting for 41% of all incidents. When employees and customers use the same passwords over various accounts, the report noted, a credential stuffing attack could result in losses averaging $6 million a year for an affected business. 

"There are millions, if not billions, of username-and-password combinations that have been compromised via persistent and ongoing data breaches," said David Mattei, senior analyst with Aite-Novarica Group. "Many consumers reuse passwords across multiple sites including e-commerce websites and online banking."

Last year, Arkose Labs cited nearly a 90% increase in bot attacks from the first quarter of 2020 to the fourth quarter. The San Francisco company identified nearly 2 billion bot attacks in the fourth quarter. Arkose said the pandemic lockdown caused many more digital accounts to be created and, ultimately, attacked. Security vendors have generally noted an average uptick in attacks of 30% to 40% a year over the past three years.

The vendors have shifted their strategy over the past year and a half. They now focus on trying to make credential stuffing more expensive for attackers, to make the cost as much as the criminals’ average net return. Security methods that can cut into scammers' ROI include challenges that require human response and rejecting activity from inexpensive proxy servers, forcing hackers to use pricier ones.

"The key is we want to impose a huge amount of friction to the attacker and no friction to the legitimate customer by making decisions of the signals we detect," said Dan Woods, vice president of Shape Security F5's Shape Intelligent Center.

Woods is a former FBI agent and CIA operative in cyberterrorism operations. Shape Security, which is based in London, has long emphasized halting credential stuffing attacks — and coined the phrase for the attack, Woods said.

How the battle is waged

Credential stuffing attacks can sometimes come from more than a million internet protocol addresses from as many as 100 different countries.

"But if they are attacking a bank in which 90% of the customers live in the United States, then [the hackers] want 90% of their attacks to come from within the U.S. so they closely parallel the traffic from human beings in that region," Woods said.

Bad actors can change device attributes like language and device fingerprints or leverage several internet protocols to avoid attempting numerous logins from the same IP.

Banks and businesses can expect to be part of large-scale bot attacks, "trained" bot attacks coded for more knowledge, or human attacks. Large-scale attacks may result in breaches that net only small amounts of money or data, but those add up because of scale.

Many banks, especially in Europe, have forced two-factor authentication for access to an account to block credential stuffers. In the U.S. that is generally looked upon as too much friction for a bank's good customers, and is especially hard for a retailer or airline to consider, Woods said.

Instead, companies like Arkose Labs, Shape Security F5 and NuData Security have devised ways to counter the advanced coding on fraudsters’ command lines and know when coding has fooled a network server into thinking the fraudulent traffic is actually coming from a legitimate browser.

When defenses get too sophisticated for bots, fraud rings fall back to using people to log in — and banks must be ready to defend against this second wave of attacks in real time, said Dave Stufflebeam, senior solutions engineer at Arkose Labs.

Newer lines of defense

Tools designed to make it more difficult and expensive for fraudsters to attack include real-time detection engines monitoring the user device. Those tools use JavaScript to examine device fingerprints and add security challenges to logins.

"The most important thing is detection time," Stufflebeam said. "We look at the IP address, track the mouse movements, and analyze the location of the user and velocity distance, or how often this address is associated with this request."

The tools also check the validation proxy, or the connection between a server and its destination, to determine where it came from.

"If they are coming from these cheap, inexpensive proxies where fraudsters can buy a million of them for $20 or $30, we automatically apply more pressure on those," Stufflebeam noted. "That pressures the fraudsters to use premium proxies that would get 20 IP addresses for a few hundred dollars, making it more costly and more challenging to them."

Vendors are also adding security challenges to their software that make credential stuffing attacks harder to carry out. In one example of a complex challenge, the person trying to log in to an account is shown four or five pictures of sets of dice, with the dice showing different numbers. The applicant has to pick out the photo in which the dice numbers total a given number. In another example, the user is asked to identify a spiral galaxy in a series of 10 or more photos showing starlit skies. These are tasks bots typically can’t complete, and the challenges force fraudsters to bring in human responders — a roadblock that they have neither the time nor patience to endure.

"It cuts down on their efficiency," Stufflebeam added. "If we can get them down to handling 10 challenges an hour, rather than 100 an hour, it increases the cost of their time — and that type of friction will make them go away."

Shape Security fights off fraudsters by collecting and examining variables such as odd mouse movements, unfamiliar coding, the same username and password tried hundreds of times and being blocked, or an IP address spotted in other breach attempts. The company then uses those signals to stop bots and decrease fraud.

Credential stuffing attacks "are some of the highest- velocity attacks because they require very little infrastructure, but they are also easy to defeat," Woods said.

Shape also uses authentication challenges to thwart such attacks. "Our challenges will ask them to do a lot of things," Woods said. "When we find a mismatch, it's a clear indication they are spoofing. They then resort to human click farms, in which people are sitting at home or in some kind of center, doing the activity of credential stuffing over and over."

The company’s software detects other signs of rogue bot activity, such as the use of windows too small for the human eye and mobile or online banking sessions that are so short, it’s unlikely a human is conducting them.

Mastercard's NuData Security, which is based in Vancouver, has seen fraudsters improve their technology in an effort to improve their rate of success at credential stuffing.

"NuData facilitates our own bot challenge to test the strength of NuDetect and can trigger any other interdiction the client wants to use, giving them the power to decide the best practices for their business," said Michelle Hafner, senior vice president of product strategy and execution at NuData.

NuData's Trust Consortium network uses passive biometrics and behavioral analytics, as well as device intelligence, to detect credential stuffing. Even if the fraudster has ways to get around some challenges, another defense mechanism is in place.

"It’s important to note that bot challenges can be solved with software or by a human for a low cost," Hafner said. "Even if a human solves a bot challenge, NuDetect can detect the anomalous way in which it was solved and mitigate the threat before there is any access to sensitive information."

Bank clients can integrate challenges into any aspect of customer interaction, whether it is account creation, login, password reset, adding payees, money movement or updating personal information, Hafner said.

"This helps businesses make more intelligent decisions and reduce their fraud without adding friction to their users," she added.

Confidence in halting attacks

Though it has a guarantee in place that allows clients to walk away from the Arkose Labs' service if they are unhappy with results, the security vendor is planning to also add a warranty that would give Arkose the liability for damages directly resulting from a credential stuffing incident.

"We are not preventing the attacks, but there is a way to make sure the cost for fraudsters to do it doesn't make sense," Gosschalk said. "We have solved that second problem, making it not financially worthwhile and too expensive from a time standpoint."

Security vendors should parlay their confidence in stopping credential stuffing into a policy that protects their clients, much in the same manner as buying a warranty on a new electronic product, said Jeremiah Grossman, CEO of Bit Discovery, which specializes in application and website security and offers a similar warranty.

"There is no penalty for a vendor making a false claim to a customer, as the culture of data security has convinced the customer that this is how it works," Grossman said. "It doesn't work like that in any other industry, and a vendor should know statistically how good and effective their product is, and there is no reason you can't offer a warranty."

Such a trend would definitely create a new era in account fraud security, Mattei of Aite-Novarica said.

"I have seen a few examples of companies who are putting their money where their mouth is and backing up claims of being really good at fraud detection by providing a financial guarantee of some sort," Mattei said.

"The guarantee that Arkose Labs is offering would be the first in the bot detection and account takeover space that I have seen," he added. "Needless to say, it garners interest from prospects when someone is willing to back up their claims with a guarantee and warranty."

For reprint and licensing requests for this article, click here.
Cyber security Cyber attacks Digital Identity in 2022 and Beyond
MORE FROM AMERICAN BANKER