The reality of breaches is the amount ofinformation available on the dark web. In 2016, hackers stole somethree billion credentials, some of which they use in accounttakeovers.

The big security threat called credential stuffing is the use ofautomated means to test stolen logins/passwords en masse againstother websites. The practice isn't new, but new sophisticatedinstruments are helping to fuel its growth.

A recent study from Mountain View, Calif. Shape Security, “2017Credential Spill Report,” showed stuffing attacks resulted in $1billion in attempted fraud in 2016 alone. In addition,credential-stuffing login attempts account for 90% of all logins inweb and mobile applications. Hackers achieve a success rate of 0.1to 2% when reusing stolen credentials to access other sites,according to Shape Security.

Mike Lynch, chief strategy officer of Boston-based deviceauthentication and intelligence firm InAuth, said this is quicklybecoming a critical issue in the security sector, yet few aretalking about it. “I am hearing a lot about how companies aretrying to battle it.”

The term credential theft is not new. Lynch explained attackershack into a system to steal end-user login credentials: user IDs,email addresses, passwords. Or they phish users into credentialtheft. “I can't believe this many years later we're still talkingabout phishing, but it's still a huge issue.”

Lynch provided some of the newer terms used in relation tocredential theft:

• Credential stuffing. Fraudsters use bots to test stolen account credentials to access user accounts throughlarge-scale automated login requests. “They want to validate thatthey have a good user name with potentially a good password.”
• Password recycling. Using the same password against multipleonline accounts.
• Credential spilling. Fraudsters release massive amounts of usercredentials onto the dark web. Sometimes it is free to build theirown hacker résumé, or sometimes for profit.

The return for fraudsters depends on the value of credentials.“For 1 million stolen credentials, which these days is not thatmuch, they might gain access to 10,000 accounts. If those arefinancial accounts, you have a lot of effects on the FIs,” Lynchsaid. He added, possible consequences include the hard-dollar costsin detecting the credential compromise, the aftermath cleanup,potential reputational damage, and response to inevitable customerqueries.

Among the techniques hackers use to gain credential access arephishing and smishing (SMS based phishing), credential crackingwith brute force, man in the middle attacks, and insider theft.

Fraudsters obtain financial institution credentials to sell tothe highest bidder. Lynch held account logins for financialinstitutions have a longer shelf life and are getting a higherprice from the dark web. “The most direct and obvious use ofaccount takeover is transaction fraud,” Lynch said. With thefinancial institution, it is usually fraud against the consumers'account. “Fraudsters sometimes have this information for severalyears before it's even noticed it's been compromise or reportedthat it was compromised.”

Credit card numbers are lesser valued on the dark web becauseholders are pretty quickly notified of compromise and the issuersubsequently retires the cards.

Companies are now battling bots used to stuff credentials. Somesigns bots are in play is through more traffic to the site, higherattempts to login, and more than usual login failure rates.

“They're using automation and technology to do things likecredential cracking and the bots themselves create the malware anddistribute it, Lynch said. “They are quite sophisticated.”

The theft of user credentials and their use in attacking othersites is now so widespread that it prompted precautions in the“Draft NIST Special Publication 800-63B Digital IdentityGuidelines,” that online account systems check their users'passwords against known spilled credential lists.

Lynch suggested credit unions need to check the unique device,device fingerprinting, and malware detection. In addition,financial institutions should use behavioral analysis. He alsorecommended credit unions embrace new authentication techniqueslike biometrics. “The more financial institutions adopt biometricsthe less credential compromise we will have.”