Account takeover (ATO) and credential stuffing attacks continue to greatly impact financial institutions, including their revenue, their brand and the loyalty of their customers.
In an ATO attack, cybercriminals take unauthorized ownership of online accounts using stolen usernames and passwords. This is relatively simple, because users don’t change passwords often, and they reuse login credentials across multiple sites. Attackers typically buy a list of credentials on the dark web — often obtained from previous data breaches, social engineering and phishing attacks — and launch an army of bots across financial institution websites to test username and password combinations on login screens. Attackers can break into authentication login pages on websites, mobile sites and native mobile application APIs. In the end, they get a list of validated credentials they can profit from by abusing the account or by selling the validated credentials to others. Account takeover attacks result in a form of identity theft.
According to a new study conducted by Aberdeen Group for PerimeterX, cyber attackers have found ATO and credential stuffing attacks against financial services organizations to be a highly effective, highly scalable way to commit fraud. TitledQuantifying the Impact of Credential Stuffing and Account Takeovers in Financial Services, the report quantifies the risk of credential stuffing and account takeovers for U.S.-based commercial banks, credit unions, savings institutions and fintech organizations. It found that 84% of organizations experienced account takeovers in the past year.
Key findings of the report include:
● Financial consequences have grown to a level that goes beyond a mere “cost of doing business,” to become a material business risk.
● To address the issue of credential stuffing and account takeovers, organizations in the financial services industry are about three times more likely to invest in fighting malicious bots than to take steps to reduce weak passwords and password reuse.
● Advanced bot detection and mitigation services top the list of technical capabilities being adopted to combat automated credential stuffing attacks.
When respondents were asked about the direct consequences from attacks on their customer accounts, the survey found that:
● 45% of organizations experienced fraudulent transactions.
● 31% saw the creation of new accounts, e.g., credit applications.
● 24% reported transfer of funds or other fungible value, e.g., loyalty points, rewards.
The cost of mobile and web-based fraud was reported as high as 8.3% of responding companies’ revenue. This cost includes chargebacks, add-on security services and damage to brand reputation and consumer trust that cause customer churn, slower growth and lower stock value.
The credit unions surveyed by Aberdeen had median revenue of $65 million and reported the median amount lost due to an ATO attack was 5.2% of revenue. This means that the average credit union could lose $3.38 million from a successful account takeover attack. That’s a lot of money!
As online banking and digital transactions continue to grow, organizations in the financial services industry, including credit unions, must prioritize risk mitigation strategies to combat credential stuffing and account takeover attacks. Advanced bot detection and mitigation solutions that leverage machine learning and behavioral analysis to continually improve detection accuracy effectively reduce the effectiveness of automated credential stuffing and account takeover attacks. This allows financial service businesses to put worrying about account fraud behind them and focus on innovating and delivering value for their customers.
Kim DeCarlis is CMO at PerimeterX, the leading provider of solutions that secure digital businesses against automated fraud and client-side threats.