Securing the Digital World

Credential Stuffing Breeds Fraud on a Grand Scale

Feb 11, 2020 | by Heidi Bleau |

Thanks to initiatives in automation and other digital technologies, organizations everywhere can reach new audiences, engage with customers, and deliver products and services on a larger scale and with less effort than ever before. That's the good news. The bad news is that technology is enabling fraudsters to scale up, too. The latest example comes in the growing popularity of credential stuffing – not a new method of fraud by any means, but one that has recently been gaining momentum among cybercriminals. Here's a quick look at what's behind today's credential stuffing gold rush and what legitimate organizations can do to mitigate the risk, drawn from a new RSA report.

Credential stuffing is the automated process whereby fraudsters gain access to online accounts by checking stolen credentials against a variety of websites until they get a match. The more credentials they can compare, and the faster they can do it, the more accounts they can access illegitimately. In 2019 alone, there were billions of records exposed in data breaches, including plenty of the username-password-email combinations that credential stuffing requires. With little more than these stolen credentials and an automated tool to check them against websites, a fraudster is in business. As of late 2019, as many as one in four fraudulent transactions displayed account takeover activity associated with these types of attacks.

Increased availability of stolen credentials is just one factor driving the recent dramatic rise in credential stuffing. Another is that it doesn't take a very high success rate to reap significant rewards, due to the speed at which automated tools can check credentials against websites. (RSA has been keeping tabs on these tools for years; we first reported on the popular Sentry MBA toolkit back in 2016.) Typical success rates for credential stuffing tools range from 0.5% to 3%. That may not sound all that high, but for a fraudster working with a million username-password-email combinations – not far-fetched, considering the volume of breached records there are out there – it can easily add up to tens of thousands of successful matches that can then be monetized.

Fraudsters can find lots of opportunities to monetize verified credentials, by selling them either directly or through the online account stores that openly advertise on social media and online chat rooms. The last time RSA conducted a detailed analysis of credentials for sale, we found them going for as little as a few pennies (for online retail stores) and as much as $15 (for online money transfer services).

What can legitimate organizations do to keep online accounts from being compromised by a credential stuffing attack? Given that a key capability for credential stuffing is the ability to recognize successful logins across multiple websites, avoid the use of email addresses as user IDs and instead make it standard practice to generate usernames that are unique to your website. And because credential stuffing attacks are carried out by bots, detecting bot activity is crucial. AI-based behavioral analysis is recommended to recognize anomalous patterns in online interactions – such as lack of mouse movements or unusual typing speeds – that signify the presence of bots.

# # #

Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity