The Impact of Credential Stuffing on Credit Unions

According to Netacea’s latest research ‘The Bot Management Review: the challenge of high awareness and limited understanding’, 95% of financial services surveyed stated that they had experienced a bot attack over the past two years. Since financial services often store highly sensitive and personal information, it is essential that the security measures that they have in place can detect even the most sophisticated of bots.

In part one of this two-part blog series, we discuss the impact of credential stuffing on credit unions.

What is credential stuffing?

Credential stuffing is a common account takeover technique used to gain brute force access to an account by continually and automatically injecting usernames and passwords into website login forms until they get a match.

The financial services industry is a prime target for account takeover attacks, as attackers seek to access these extremely profitable accounts.  When attackers have access to customers’ accounts they can commit acts of fraud, such as moving the money across to their personal account, acquiring credit or debit cards details linked to the account, or selling the details of the account to someone else on the dark web for a profit.

Why is credential stuffing a threat to credit unions?

Credential stuffing is a prime choice for threat actors looking to perform automated attacks; 90% of attacks targeting financial services organizations start with some form of automation. Research has also shown that 58% of the login traffic for financial services organizations come from credential stuffing attacks.

The threat of credential stuffing to credit unions is increasing. Credential stuffing software is readily available online, not only on the dark web but the clear web, which is accessible to organized cybercriminals and opportunists alike. This means that it is now easier than ever for anyone – even those who do not have the knowledge to build automated programs – to launch a credential stuffing attack. In addition to this, 59% of consumers reuse passwords across multiple sites, one of the main reasons credential stuffing attacks are successful.

What is the impact of credential stuffing on credit unions?

Credential stuffing can cause credit unions to suffer both financial and reputational damage. Research has shown that the banking industry loses nearly $50 billion dollars per day due to credential stuffing attacks. In addition to this, The Bot Management Review by Netacea also found that 80% of financial services organizations feared that a bot attack would result in a loss of customers.

How can credit unions protect themselves against credential stuffing attacks?

Credit unions can implement and encourage the use of multi-factor authentication (MFA). Multifactor authentication is a method of verification in which a user is only granted access to a website after presenting two or more pieces of evidence to verify that they own the account. For example, inputting a code sent to your email address or phone number.  MFA helps prevent unauthorized access to applications and sensitive data

Enterprise organizations should be proactive in their use of good password hygiene, instilling processes throughout the business to ensure employees adhere to best practices. This includes:

• Providing cybersecurity training to all employees
• Implementing mandatory password updates every 90 days
• Putting in place strong password requirements such as the combination of punctuation, numbers and letters
• Discouraging password reuse

In summary, credential stuffing poses a threat to credit unions as well as many other financial services. Having a preventative solution that focuses on user intent to ensure malicious activity is stopped, and genuine users are prioritized, is key for protection against credential stuffing.

Netacea’s Bot Management takes a revolutionary approach to tackling bots, protecting websites, mobile apps and APIs from malicious attacks such as scraping, credential stuffing and scalping, to give you peace of mind that your business is protected against various threats.

Want to learn more about how to protect your credit union from credential stuffing? Click here to find out more.