Credential Stuffing: A Cyber-Attack on the Rise
Credential stuffing attacks have become incredibly easy and inexpensive. A rise in digital usage and uncertain times have only increased the appeal for cybercriminals. According to a 2020 cybersecurity firm report, credential stuffing attacks accounted for the greatest volume of incidents against the financial sector.
What is Credential Stuffing?
Credential stuffing is a type of cyber-attack in which hackers take large amounts of usernames and passwords and try to "stuff" those credentials into the login page of other digital services. Because people often use the same username across multiple platforms, hackers can use the information gathered from credential stuffing to unlock multiple accounts. Then, with the use of automated tools, hackers can attempt thousands of login credentials in a matter of minutes. In recent years, hundreds of millions of credentials have been stolen and sold to commit fraud.
The Value of Credentials
The FBI, in coordination with CISA and the Treasury Department, have received numerous reports on credential stuffing attacks against financial institutions. Since 2017, there have been nearly 50,000 account compromises. So, it is important to note that credential stuffing attacks are happening daily all around the globe. It is no longer a question as to if a website will be attacked, but when.
If data is the valuable asset locked away for safekeeping, credentials are key to opening the vault. There is no need for malware or seeking out vulnerabilities — a simple password and username are all that's required to get into a network or a database. And because most users reuse passwords, this opens other doors for the hacker. In SpyCloud's 2021 Annual Credential Exposure Report it is noted that 60% of 1.5 billion credentials recovered featured password reuse. Of those, 97.4% of passwords were an exact match across breached accounts.
How Can You Prevent It?
When customers use the same email and password combinations across multiple online accounts, cyber criminals can exploit the opportunity to use stolen credentials to attempt logins across various sites. To protect your information, regardless of which platform you are using, the following is recommended:
- Avoid generic usernames that include your first or last name, or first initial and last name.
- Example: Avoid Jdoe or JaneDoe. Simple usernames are easy to exploit. Instead, try J@n3D0e.
- Include numbers and special characters in both your usernames and passwords.
- Frequently change your account usernames and passwords.
- Use different usernames and passwords across online platforms.
- When possible, avoid using your email address as a username.
- Create unique passwords that vary across different platforms.
- According to a 2020 survey conducted by a data analytics firm, nearly 60 percent of respondents reported using one or more passwords across multiple accounts.
Creating a TEXAS STRONG Password
Creating a strong password is easier than you think. Follow these simple tips to shake up your password protocol:
- Use a long passphrase. According to NIST guidance, you should consider using the longest password or passphrase permissible. For example, you can use a passphrase such as a news headline or even the title of the last book you read. Then add in some punctuation and capitalization.
- Don’t make passwords easy to guess. Do not include personal information in your password such as your name or pets’ names. This information is often easy to find on social media, making it easier for cybercriminals to hack your accounts.
- Avoid using common words in your passwords. Substitute letters with numbers and punctuation marks or symbols. For example, @ can replace the letter “A” and an exclamation point (!) can replace the letters “I” or “L.”
- Get creative. Use phonetic replacements, such as “PH” instead of “F”. Or make deliberate, but obvious misspellings, such as “enjin” instead of “engine.”
- Keep your passwords on the down-low. Don’t tell anyone your passwords and watch for attackers trying to trick you into revealing your passwords through email or calls. Every time you share or reuse a password, it chips away at your security by opening up more avenues in which it could be misused or stolen.
- Unique account, unique password. Having different passwords for various accounts helps prevent cyber criminals from gaining access to these accounts and protect you in the event of a breach. It’s important to mix things up— find easy-to remember ways to customize your standard password for different sites.
- Double your login protection. Enable multi-factor authentication (MFA) to ensure that the only person who has access to your account is you. Use it for email, banking, social media, and any other service that requires logging in. If MFA is an option, enable it by using a trusted mobile device, such as your smartphone, an authenticator app, or a secure token—a small physical device that can hook onto your key ring.
- Utilize a password manager to remember all your long passwords. The most secure way to store all of your unique passwords is by using a password manager. With just one master password, a computer can generate and retrieve passwords for every account that you have – protecting your online information, including credit card numbers and their three-digit Card Verification Value (CVV) codes, answers to security questions, and more.
How First Financial Can Help:
When we say safe, sound, and secure; we mean it. Our fraud prevention experts consistently monitor suspicious activity and if we believe someone is trying to access our online banking using your username, we will alert you. First Financial Online and Mobile Banking requires secure access codes on all new browsers and devices as a further prevention.
You can also sign up for real-time debit card text alerts that will let you know any time your debit card is used by clicking here. As a further security measure, we monitor all transactions and automatically alert our customers when a transaction seems out of the ordinary.
For any other questions about your account security, call us at 855-660-5862
Information provided by the Federal Bureau of Investigation, Cyber Division