Aberdeen Group report warns of the rise of a method of financial fraud that is highly effective and scalable
Stolen usernames and passwords are the digital world’s equivalent of a stolen wallet, and just like pickpockets evolved over time to become more adept at their crimes, so too have cybercriminals.
One of the strategies being deployed by criminals targeting people’s finances online is ‘credential stuffing’ because it can be highly affective and highly scalable, according to a new report.
Credential stuffing involves the automated use of username and password pairs to gain access to accounts. Essentially, computer bots try multiple combinations across multiple sites with almost inevitability that some of these will allow account take overs (ATOs).
Market research organization Aberdeen Group conducted a study across four sectors of financial services - commercial banks, credit unions, savings institutions and fintech - and determined that 84% of respondents reported that some number of their online users had experienced a successful account takeover in the previous 12 months.
"Throughout the financial services industry, the monetary consequences of credential stuffing and successful account takeovers — both direct, and indirect — have grown beyond a basic 'cost of doing business' to become a material business risk,” concluded Derek Brink, CISSP, vice president and research fellow for Aberdeen Strategy & Research. "Given the central role of digital credentials in the management of long-term, account-based relationships with their customers, it’s clear that addressing these risks now demands much closer attention."
The impact of attacks
The study found three main direct consequences of these attacks on customer accounts:
- 45% of organizations experienced fraudulent transactions
- 31% saw the creation of new accounts, e.g., credit applications
- 24% reported transfer of funds or other fungible value, e.g., loyalty points, rewards
Aberdeen’s quantitative analysis also estimated the median cost of an attack ranges from 2.7% to 6.4% of the revenue generated from their monthly active users for each of the four market segments.
The study, in association with web app protection solutions firm PerimeterX, also found that financial services firms are about three times more likely to invest in fighting malicious bots than to take steps to reduce weak passwords and password reuse.
