Credential Stuffing the Financial Services Sector

financial-cyberecurity Credential stuffing in the financial services industry has risen significantly over the past year, according to Akamai’s latest State of the Internet / Security report. Credential stuffing is a type of brute-force attack in which cybercriminals take millions of previously breached usernames and passwords and run them through online services’ login portals until they find a match.

“In 2020, Akamai saw 193 billion credential stuffing attacks globally, with 3.4 billion hitting financial services organizations specifically -- an increase of more than 45% year-over-year in the sector,” the company says. “Akamai observed nearly 6.3 billion web application attacks in 2020, with more than 736 million targeting financial services -- which represents an increase of 62% from 2019. SQL Injection (SQLi) attacks remained in the top spot across all business types globally, making up 68% of all web application attacks in 2020, with Local File Inclusion (LFI) attacks coming in second at 22%. However, in the financial services industry, LFI attacks were the number one web application attack type in 2020 at 52%, with SQLi at 33% and Cross-Site Scripting at 9%.”

While credential stuffing is different from phishing, Steve Ragan, the Akamai security researcher who authored the report, noted that the level of credential stuffing is an indicator of the number of phishing attacks targeting the industry.

“The ongoing, significant growth in credential stuffing attacks has a direct relationship to the state of phishing in the financial services industry,” Ragan said. “Criminals use a variety of methods to augment their credential collections, and phishing is one of the key tools in their arsenal. By targeting banking customers and employees in the sector, criminals increase their pool of potential victims exponentially.”

Akamai warns that DDoS attacks are also a growing problem for the financial services sector.

“Over the past three years (2018-2020), Akamai saw DDoS attacks against the financial services sector grow by 93%, indicating that systemic disruption remains an objective for criminals, who target services and applications required for daily business,” Akamai says.

One of the human errors that helps credential stuffing succeed is the propensity of people to reuse their passwords, userids, and security questions on many different sites and services. Compromise one and all are vulnerable to this automated method of attack. New-school security awareness training can teach your employees to follow security best practices so they can thwart these types of attacks.

How vulnerable is your network to hacked user passwords?

25% of employees use the same password for all logins. What if that password is available on the dark web? A massive amount of passwords are compromised due to data breaches and used by cybercriminals for attacks. KnowBe4’s free Breached Password Test (BPT) checks to see if your users are currently using passwords that are in publicly available breaches associated with your domain. BPT checks against your Active Directory and reports compromised passwords in use right now so that you can take action immediately!

Here's how it works: