Tag: credential stuffing

There’s a common saying in the fraud prevention industry: where there’s opportunity, fraudsters are quick to follow. Recent advances in technology are providing ample new opportunities for cybercriminals to exploit. One of the most prevalent techniques being observed today is password spraying. From email to financial and health records, consumers and businesses are being impacted by this pervasive form of fraud. Password spraying attacks often fly under the radar of traditional security measures, presenting a unique and growing threat to businesses and individuals.  What is password spraying?  Also known as credential guessing, password spraying involves an attacker applying a list of commonly used passwords against a list of accounts in order to guess the correct password. When password spraying first emerged, an individual might hand key passwords to try to gain access to a user’s account or a business’s management system.   Credential stuffing is a similar type of fraud attack in which an attacker gains access to a victim’s credentials in one system (e.g., their email, etc.) and then attempts to apply those known credentials via a script/bot to a large number of sites in order to gain access to other sites where the victim might be using the same credentials. Both are brute-force attack vectors that eventually result in account takeover (ATO), compromising sensitive data that is subsequently used to scam, blackmail, or defraud the victim.  As password spraying and other types of fraud evolved, fraud rings would leverage “click farms” or “fraud farms” where hundreds of workers would leverage mobile devices or laptops to try different passwords in order to perpetrate fraud attacks on a larger scale. As technology has advanced, bot attacks fueled by generative AI (Gen AI) have taken the place of humans in the fraud ring. Now, instead of hand-keying passwords into systems, workers at fraud farms are able to deploy hundreds or thousands of bots that can work exponentially faster.  The rise and evolution of bots  Bots are not necessarily new to the digital experience — think of the chatbot on a company’s support page that helps you find an answer more quickly. These automated software applications carry out repetitive instructions mimicking human behavior. While they can be helpful, they can also be leveraged by fraudsters, to automate fraud on a brute-force attack, often going undetected resulting in substantial losses.   Generation 4 bots are the latest evolution of these malicious programs, and they’re notoriously hard to detect. Because of their slow, methodical, and deliberate human-like behavior, they easily bypass network-level controls such as firewalls and popular network-layer security.  Stopping Gen4 bots  For any company with a digital presence or that leverages digital networks as part of doing business, the threat from Gen AI enabled fraud is paramount. The traditional stack for fighting fraud including firewalls, CAPTCHA and block lists are not enough in the face of Gen4 bots. Companies at the forefront of fighting fraud are leveraging behavioral analytics to identify and mitigate Gen AI-powered fraud. And many have turned to industry leader, Neuro ID, which is now part of Experian.  Watch our on-demand webinar: The fraud bot future-shock: How to spot & stop next-gen attacks  Behavioral analytics is a key component of passive and continuous authentication and has become table stakes in the fraud prevention space. By measuring how a user interacts with a form field (e.g., a website, mobile app, etc.) our behavioral analytics solutions can determine if the user is: a potential fraudster, a bot, or a genuine user familiar with the PII entered. Because it’s available at any digital engagement, behavioral data is often the most consistent signal available throughout the customer lifecycle and across geographies. It allows risky users to be rejected or put through more rigorous authentication, while trustworthy users get a better experience, protecting businesses and consumers from Gen AI-enabled fraud.  As cyber threats evolve, so must our defenses. Password spraying exemplifies the sophisticated methods and technologies attackers now employ to scale their fraud efforts and gain access to sensitive information. To fight next-generation fraud, organizations must employ next-generation technologies and techniques to better defend themselves against this and other types of cyberattacks.  Experian’s approach embodies a paradigm shift where fraud detection increases efficiency and accuracy without sacrificing customer experience. We can help protect your company from bot attacks, fraudulent accounts and other malicious attempts to access your sensitive data. Learn more about behavioral analytics and our other fraud prevention solutions.  Learn more

This article was updated on November 9, 2023. Account takeover fraud is a huge, illicit business in the United States with real costs for consumers and the organizations that serve them. In fact, experts predict that by the end of 2023, account takeover losses will be over $635 billion. With consumers' data, your reputation, and your organization's financial picture on the line, now's the time to learn about account takeover fraud and how to prevent it.  What is account takeover fraud?  Account takeover fraud is a form of identity theft where bad actors gain unlawful access to a user's online accounts in order to commit financial crimes. This often involves the use of bots.  information that enables account access can be compromised in a variety of ways. It might be purchased and sold on the dark web, captured through spyware or malware or even given “voluntarily" by those falling for a phishing scam.  Account takeover fraud can do far more potential damage than previous forms of fraud because once criminals gain access to a user's online account, they can use those credentials to breach others of that user's accounts.  Common activities and tools associated with account takeover fraud include: Phishing: Phishing fraud relies on human error by impersonating legitimate businesses, usually in an email. For example, a scammer might send a phishing email disguising themselves as a user's bank and asking them to click on a link that will take them to a fraudulent site. If the user is fooled and clicks the link, it can give the hackers access to the account.  Credential stuffing/cracking: Fraudsters buy compromised data on the dark web and use bots to run automated scripts to try and access accounts. This strategy, called credential stuffing, can be very effective because many people reuse insecure passwords on multiple accounts, so numerous accounts might be breached when a bot has a hit. Credential cracking takes a less nuanced approach by simply trying different passwords on an account until one works.  Malware: Most people are aware of computer viruses and malware but they may not know that certain types of malware can track your keystrokes. If a user inadvertently downloads a “key logger", everything they type, including their passwords, is visible to hackers.  Trojans: As the name suggests, a trojan works by hiding inside a legitimate application. Often used with mobile banking apps, a trojan can overlay the app and capture credentials, intercept funds and redirect financial assets.  Cross-account takeover: One evolving type of fraud concern is cross-account takeover. This is where hackers take over a user's financial account alongside another account such as their mobile phone or email. With this kind of access, fraudsters can steal funds more easily and anti-fraud solutions are less able to identify them.  Intermediary new-account fraud: This type of fraud involves using a user's credentials to open new accounts in their name with the aim of draining their bank accounts.  This is only an overview of some of the most prevalent types of account takeover fraud. The rise of digital technologies, smartphones, and e-commerce has opened the door to thieves who can exploit the weaknesses in digital security for their own aims. The situation has only worsened with the rapid influx of new and inexperienced online users driven by the COVID-19 pandemic.  Why should you be concerned, now?  Now that digital commerce and smartphone use are the norm, information used to access accounts  is a security risk. If a hacker can get access to this information, they may be able to log in to multiple accounts.. The risk is no longer centralized; with every new technology, there's a new avenue to exploit.   To exacerbate the situation, the significant shift to online, particularly online banking, spurred by the COVID-19 pandemic, appears to have amplified account takeover fraud attempts. In 2019, prior to the pandemic, 1.5 billion records — or approximately five records per American — were exposed in data breaches. This can potentially increase as the number of digital banking users in the United States is expected to reach almost 217 million by 2025. Aite research reported that 64 percent of financial institutions were seeing higher rates of account takeover fraud than before COVID. Unfortunately, this trend shows no sign of slowing down. The increase in first-time online users propelled by COVID has amplified the critical security issues caused by a shift from transaction fraud to identity-centric account access. Organizations, especially those in the financial and big technology sectors, have every reason to be alarmed.  The impact of account takeover fraud on organizations  Account takeover can be costly, damage your reputation and require significant investments to identify and correct.  Protection of assets  When we think of the risks to organizations of account takeover fraud, the financial impact is usually the first hazard to come to mind. It's a significant worry: According to Experian's 2023 U.S. Identity and Fraud report, account takeover fraud was among the top most encountered fraud events reported by U.S. businesses. And even worse, the average net fraud loss per case for debit accounts has been steadily increasing since early 2021. The costs to businesses of these fraudulent activities aren't just from stolen funds. Those who offer credit products might have to cover the costs of disputing chargebacks, card processing fees or providing refunds. Plus, in the case of a data breach, there may be hefty fines levied against your organization for not properly safeguarding consumer information. Add to these the costs associated with the time of your PR department, sales and marketing teams, finance department and customer service units.  In short, the financial impact of account takeover fraud can permeate your entire organization and take significant time to recoup and repair.  Protection of information  Consumers rightfully expect organizations to have a solid cybersecurity plan and to protect their information but they also want ease and convenience. In many cases, it's the consumers themselves who engage in risky online behavior — reusing the same password on multiple sites or even using the same password on all sites. These lax security practices open users up to the possibility of multiple account takeovers. Making things worse for organizations, security strategies can annoy or frustrate consumers. If security measures are too strict, they risk alienating consumers or even generating false positives, where the security measure flags a legitimate user.  Organizations are in the difficult position of having to balance effective security measures with a comfortable user experience. Reputation  When there's a data breach, it does significant damage to your organization's reputation by demonstrating weaknesses in your security. Fraudulent account take-overs can affect the consumers who rely on you significantly and if you lose their trust, they're likely to sever their relationship with you. Large-scale data breaches can sully your organization's reputation with the general public, making consumers less likely to consider your services. How to build an account takeover fraud prevention strategy  There are numerous ways to build an account takeover fraud prevention strategy, but to work for your and individual consumers, it must pair robust risk management with a low friction user experience.  Here are some of the key elements to an account takeover fraud prevention strategy that hits the right notes.  Monitor interactions The risk of account takeover is constant so your monitoring should be as well. A layered, proactive and passive fraud prevention program can monitor your interactions, reduce false positives and keep track of consumers' digital identities. Use the right tools When it comes to fraud prevention, you've got plenty of choices but you'll want to make sure you use the tools that protect you, as well as consumer data, while always providing a positive experience. We use risk-based identity and device authentication and targeted step-up authentication to keep things running smoothly and only pull in staff for deeper investigations where necessary. Automate to reduce manual processes  Your organization's fraud prevention strategy likely includes manual processes, tasks that are completed by employees—but humans make mistakes that can be costly. Taking the wrong action, or even no action at all, can result in a security breach. Automated tasks like threat filtering and software and hardware updates can reduce the risk to your organization while improving response time and freeing up your team.  Choose a nimble platform  Technology changes quickly and so does fraud. You'll need access to a layered platform that lets you move as quickly as the bad actors do.  The bottom line  You can effectively mitigate against the risk of account takeover fraud and offer consumers a seamless experience. Learn more about account takeover fraud prevention and fraud management solutions.  Fraud management solutions

Be warned. I’m a Philadelphia sports fan, and even after 13 months, I still relish in the only Super Bowl victory I’ve ever known as a fan. Having spent more than two decades in fraud prevention, I find that Super Bowl LII is coalescing in my mind with fraud prevention and lessons in defense more and more. Let me explain: It’s fourth-down-and-goal from the one-yard line. With less than a minute on the clock in the first half, the Eagles lead, 15 to 12. The easy option is to kick the field goal, take the three points and come back with a six-point advantage. Instead of sending out the kicking squad, the Eagles offense stays on the field to go for a touchdown. Broadcaster Cris Collingsworth memorably says, “Are they really going to go for this? You have to take the three!” On the other side are the New England Patriots, winners of two of the last three Super Bowls. Love them or hate them, the Patriots under coach Bill Belichick are more likely than any team in league history to prevent the Eagles from scoring at this moment. After the offense sets up, quarterback Nick Foles walks away from his position in the backfield to shout instructions to his offensive line. The Patriots are licking their chops. The play starts, and the ball is snapped — not to Foles as everyone expects, but to running back Corey Clement. Clement takes two steps to his left and tosses the ball the tight end Trey Burton, who’s running in the opposite direction. Meanwhile, Foles pauses as if he’s not part of the play, then trots lazily toward the end zone. Burton lobs a pass over pursuing defenders into Foles’ outstretched hands. This is the “Philly Special” — touchdown! Let me break this down: A third-string rookie running back takes the snap, makes a perfect toss — on the run — to an undrafted tight end. The tight end, who hasn’t thrown a pass in a game since college, then throws a touchdown pass to a backup quarterback who hasn’t caught a ball in any athletic event since he played basketball in high school. A play that has never been run by the Eagles, led by a coach who was criticized as the worst in pro football just a year before, is perfectly executed under the biggest spotlight against the most dominant team in NFL history. So what does this have to do with fraud? There’s currently an outbreak of breach-fueled credential stuffing. In the past couple of months, billions of usernames and passwords stolen in various high-profile data breaches have been compiled and made available to criminals in data sets described as “Collections 1 through 5.” Criminals acquire credentials in large numbers and attack websites by attempting to login with each set — effectively “stuffing” the server with login requests. Based on consumer propensity to reuse login credentials, the criminals succeed and get access to a customer account between 1 in 1,000 and 1 in 50 attempts. Using readily available tools, basic information like IP address and browser version are easy enough to alter/conceal making the attack harder to detect. Credential stuffing is like the Philly Special: Credential stuffing doesn’t require a group of elite all-stars. Like the Eagles’ players with relatively little experience executing their roles in the Philly Special, criminals with some computer skills, some initiative and the guts to try credential stuffing can score. The best-prepared defense isn’t always enough. The Patriots surely did their homework. They set up their defense to stop what they expected the Eagles to do based on extensive research. They knew the threats posed by every Eagle on the field. They knew what the Eagles’ coaches had done in similar circumstances throughout their careers. The defense wasn’t guessing. They were as prepared as they could have been. It’s the second point that worries me when I think of credential stuffing. Consumers reuse online credentials with alarming frequency, so a stolen set of credentials is likely to work across multiple organizations, possibly even yours. On top of that, traditional device recognition like cookies can’t identify and stop today’s sophisticated fraudsters. The best-prepared organizations feel great about their ability to stop the threats they’re aware of. Once they’ve seen a scheme, they make investments, improve their defenses, and position their players to recognize a risk and stop it. Sometimes past expertise won’t stop the play you can’t see coming.