Credential Stuffing Prevention: Identity Theft and Fraud Require Better Solutions
Collecting and holding information on your clients is part of the banking industry’s DNA, because it made good business sense even before “know your client” laws made it mandatory. In the middle of the last century, computerization made record-keeping easier and more cost-effective, with the predictable result that institutions kept ever-larger quantities of client data.
Two decades into the new century, data — and the analytics tools to make use of it — has become one of the major drivers of innovation within the industry. Unfortunately, it also represents a potential liability: you’re legally responsible for your stewardship of user data, yet it’s vulnerable to simple brute-force attacks such as “credential stuffing.” If your current platform was not built with a security-first mindset, it may not be up to the task of credential stuffing prevention and other forms of contemporary data protection.
Credential Stuffing and Other Risks
One of the hard truths of our mobile, digital-first life is that a lot of personally identifying information is already out there “in the wild”: if the statistics on data breaches don’t frighten you, you’re just not paying attention. It costs little for criminals to purchase lists of usernames (or of email addresses or phone numbers, which are widely used for the same purpose); and lists of known, compromised passwords. In addition, people who have only a few long-lived, memorized passwords are susceptible to credential stuffing when they reuse passwords across sites and an unrelated site has a data breach.
At this point, gaining unauthorized access to an account is relatively simple: a computer can try a username with tens of thousands of passwords every hour until a given combination works. Or if the password is part of an unrelated breach, only a few attempts is all a hacker needs. Most people use the same password and username across multiple sites and apps, so that “known good” combination can typically be exploited repeatedly. This is credential stuffing: it takes time and processing power, but minimal programming expertise.
For financial institutions, the main threat posed by credential stuffing is that it’s an automated, high-speed process: as fraudulent activity goes, you could think of it as “wholesale.” Similarly, a phishing attack or auto-dialing phone scam can compromise hundreds or thousands at a time. Lower-volume “retail” attacks (such as romance scams) that compromise one victim at a time are less damaging from the institutional perspective, though they also pose a risk.
The Risks to Banks and Credit Unions
Fraud is the most obvious security risk to any institution, but it’s far from the only one or even — potentially — the most consequential. Attackers who compromise your users’ accounts can cost you money, but those who successfully install malware or ransomware on a user’s device and then penetrate your platform can potentially bring your institution to its knees; either by shutting you down until you pay a ransom or by stealing your user data (or sensitive business data) en masse. The same holds true for attackers who compromise your staff or managers, as opposed to ordinary users.
Another key risk is reputational. The biggest industry players are well enough entrenched that even a major data breach won’t hurt them significantly, but smaller regional institutions could be crippled if a significant percentage of its users should lose confidence in its ability to safeguard their data.
A third risk is regulatory. As cybersecurity threats grow more worrisome for consumers and institutions alike, governments have staked out a more rigorous climate of oversight. In July of 2020, for example, New York’s Department of Financial Services levied a fine against an insurance company that was not in response to a breach, but to an unresolved vulnerability that left customer data at risk of exposure.
The Right Digital Platform can Help You Mitigate the Risks
“Nimbleness” in your digital platform is often cited as a desirable thing, but it’s usually framed in a marketing context: it’s how you stay competitive with fast-moving fintechs, and keep up with the consumers’ rapidly-changing needs and desires. Unfortunately, criminals are — if anything — faster-moving and more adaptable than competitors or customers, and the digital platforms many institutions rely on are simply not able to keep up.
Legacy banking software typically is bolted together from several standalone “bank in a box” products from different vendors. As a result it’s exceedingly difficult to implement rapid fixes to quickly-developing security issues, especially when you have a limited IT budget and heavy existing demands on those staff. If you weren’t already questioning whether your systems are approaching their end of life, this might well be a deciding factor.
An up-to-date digital banking platform — or, more accurately, the right digital banking platform — can go a long way toward mitigating the risks posed to your institution by credential stuffing and other contemporary threats. Lumin Digital’s software is constructed from the ground up to meet those threats.
The Case for Lumin Digital
Up-to-date security isn’t something that can effectively be added to a decades-old software after the fact, like a coat of paint: it needs to be integrated from the beginning and be fundamental to the design.
At Lumin Digital, security is a cornerstone of our corporate culture: it’s built collaboratively into every work process and group. We leverage existing tools and our proprietary threat protection measures to underpin our digital banking delivery with a seamless, state-of-the-art managed security solution. Here’s (some of) what that looks like in practice:
Integrated “zero trust” principles: Legacy software applies an “us and them” standard, with trusted insiders (institutional users, contractors, software partners) facing lower security standards than everyone else. That’s not a viable model anymore, given that 1) insiders are just as vulnerable to phishing as outsiders, and 2) misconfigurations or unpatched software vulnerabilities can give outsiders unfettered access. Modern “zero trust” principles assume that everyone’s a potential threat and every system component needs to prove its trustworthiness, whether an insider or an outsider (as a bonus, this also neatly mitigates the risk from insider fraud or malicious contractors).
Security throughout development: At every stage, each idea, feature or UX design element is scrutinized with confidentiality and transactional integrity in mind. To that end, Lumin’s production process integrates both static and dynamic application security testing and automated software composition analysis tools to vet the code as it makes its way through the deployment pipeline.
Integrated, ongoing code auditing: Change control processes and code review processes are stringently audited by highly-trained specialists with specific financial industry expertise.
Security enhancements enabled by our cloud-native model: Misconfigured and unpatched software are significant sources of vulnerability for legacy software, in part because of the overhead involved in addressing them. With Lumin Digital that’s not an issue: our entire application stack is replaced and redeployed weekly, in a seamless process that neither you nor your users will notice. Your IT people will see your assets and security posture in real-time, as opposed to periodic — and never frequent enough — assessments, making it easier to detect misconfigurations or outlier activity at scale.
Credential stuffing prevention: Credential stuffing and other account-takeover attacks are best countered by active detection methods. The Lumin Digital platform incorporates advanced “bot” detection to identify automated and scripted attacks before they can gain a foothold and user analytics that correlates the behavior and devices of each user to create an identifiable pattern. When there’s activity that doesn’t correspond to the user’s expected pattern, that gets flagged for scrutiny.
Credential vetting: As noted above, users have the unfortunate habit of relying on a small handful of passwords across a large number of sites, and those passwords are frequently compromised. Cyber-security professional Troy Hunt maintains a searchable database of known-compromised emails, phone numbers and passwords, and Lumin Digital’s software vets each user’s password against that database. If it’s detected, we’ll prompt them to change it.
Even better, you’ll get credit for alerting them to the possibility of their identity being stolen and can work with them to help mitigate those risks, which presents the opportunity for some major trust-building.
The ability to implement/maximize existing tools: There are some excellent security resources available to the financial services industry if your platform is prepared to take advantage of them. Aside from Hunt’s database of breaches, a prime example is FS-ISAC, the Financial Services Information Sharing and Analysis Center. Through FS-ISAC you can take advantage of a wealth of information on existing and emerging threats, but only if your software platform can utilize it (Lumin’s can). Lumin’s Application Programming Interface (API) also enables your IT people, or ours, to incorporate new resources as they’re developed.
Credential Stuffing Prevention is the Tip of the Iceberg
In times of stress and change — and the last few years have certainly been that — it’s only human to become risk-averse and seek comfort in the status quo. Unfortunately, when applied to the state of your institution’s computer platform, that very natural impulse increases your risks in many key areas. Insurers are paying a high price for fraud, for example, and your coverage could become more costly if they feel you’re not protecting your computer systems adequately.
Legacy platforms can only counter cyber attacks with broad-stroke tools such as IP blocking, which is trivially easy for hackers to bypass. Or legacy systems put the onus on users through measures such as captchas and out-of-wallet questions, which create friction and reduce users’ satisfaction with your platform. Remember, you may not need to experience a breach anymore to face regulatory action, so this is a double-edged threat. In June of 2021 the Federal Financial Institutions Examination Council released new guidance for reviewing an institution’s architecture, infrastructure and operations. You can download it and review it for yourself: the farther your institution falls from meeting that guidance, the greater your regulatory risk.
Ultimately, the biggest risk you face is irrelevance, as current and potential users migrate to financial solutions that represent a better fit for their lifestyle. If you want to place your institution squarely on the positive side of that curve rather than the negative side, contact us today to request a demonstration.
Open Web Application Security Project: Credential Stuffing
American Banker: Too Many Gaps in Banks’ Fraud-Prevention Systems
Carnegie Mellon University Software Engineering Institute: Spotlight on Insider Fraud in the Financial Services Industry
NBC News: Man Pleads Guilty in Huge ID Theft Case
Have I Been Pwned?: Check if Your Email or Phone is In a Data Breach
Financial Services Information Sharing and Analysis Center: Safeguarding the Global Financial System by Reducing Cyber Risk
Insurance Information Institute: Facts + Statistics: Identity Theft and Cybercrime
ABA Risk and Compliance: What Banks Need to Know About Credential Stuffing and How to Stop It
Federal Financial Institutions Examination Council: Architecture, Infrastructure, and Operations