How to avoid credential stuffing attacks

Olivier Thirion de Briel, Global Solutions Marketing Director, IAM Solutions for HID Global discusses the growing trend of credential stuffing attacks and how it can be avoided.

With the sophistication of hacking attacks, it becomes more and more difficult for banks to guarantee their customers’ data will not be compromised. In October 2018, an undisclosed number of HSBC’s online retail accounts in the US were hacked. The technique used by the hackers is called “credential stuffing,” which means personal details were harvested from elsewhere, and then utilized to gain unauthorized access to the accounts.

The Open Web Application Security Project (OWASP) defines credential stuffing as “the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.”

These kinds of attacks can only be successful if the banks authorize login with the use of a user ID and a password and/or the use of Knowledge-Based Authentication (KBA), commonly used in the US. With the migration in the US to EMV banking cards, the card present hacks are declining, but hackers are agile and are redirecting their focus on Card Not Present (CNP) hacks, like online shopping hacks, and online and mobile banking hacks.

The Need for Enhanced Authentication and More Sophisticated Security
Credential stuffing can be defeated thanks to non-human like behavior detection (missing mouse movements, typing anomalies, multiple requests) and the detection of multiple login fails from the same IP. This type of attack leads to compromised personal and financial information and eventually account takeovers.

Overcoming such challenges can be achieved by using trusted user identity methods which consist of collecting and analyzing hundreds of parameters, including behavioral biometrics, device fingerprinting, network analytics, transaction risk analysis and threat detection. Continuous analysis and comparison of the user profile, along with behavior built during previous safe sessions, will be critical to detect potential threats. Real-time user verification can help banks identify imminent attacks and overcome potential threats.

Authentication, the Critical Piece for the Digital Banking Channels
Digital banking channels will gain stronger customer adoption when trust is established between banks and their clients. In this context, security is a key enabler to achieve the needed level of trust provided that it is combined with intuitive and seamless user experiences.

The number of regulations across the world encouraging banks to deploy risk-based authentication to better protect their customers is growing rapidly. Indeed, risk-based authentication is about adapting the level of assurance of the authentication depending on the risk level of the transaction conducted by the customer.

Choosing the Right Partner to Secure Personal and Financial Data
For banks to be successful in accelerating their digital shift, they need to consider the security of their customers as a key priority. Choosing not to deploy advanced intelligence-based authentication to protect online banking makes the customers easy targets for hackers. Not only do data breaches cost companies time and money, they break customer trust—ultimately resulting in lost business and revenue.

HID Global enables financial institutions to protect digital identities in a connected world and assess cyber risk in real time to deliver trusted transactions while empowering smart decision-making. HID Global’s extensive portfolio offers secure, convenient access to online services and applications and helps organizations meet growing regulatory requirements while going beyond just simple compliance.

HID Risk Management Solution
HID Trusted Transactions deliver advanced risk-based authentication, allowing banks to define dynamically, and in real-time, the user experience along with the required level of authentication assurance depending on the risk detected in the ongoing action. HID Risk Management Solution is able to detect all types of account takeovers, as well as credential stuffing attacks, while gathering information about the user’s location, browser, IP addresses and typical behavior patterns.