The FBI sent a private security alert to the US financial sector warning about the increasing number of credential stuffing attacks that have targeted their networks, leading to breaches and considerable financial losses. Since 2017, nearly 50,000 account compromises have been reported against US banks, financial services providers, insurance companies, and investment firms.Credential stuffing attacks accounted for 41% – the greatest volume – of all security incidents against the financial sector from 2017-2019.
This FBI security alert highlights some of the most important security measures companies should utilize to thwart credential-based attacks such as credential stuffing. However, time and time again users have proven they\’ll disregard expert advice, reuse credentials, and select simple passwords. With that in mind, good advice such as \”advise customers and employees to use unique passwords they are not using for any other accounts and to change their passwords regularly\” will likely fall on deaf ears. Companies should now assume users will act against best interests when it comes to credentials, and start forcing good habits for passwords and security.
The FBI alert includes some powerful steps that all networks and websites containing sensitive accounts should adhere to, such as enforcing the user of multi-factor authentication (MFA) for sensitive accounts (banking, insurance, trading accounts, etc.), comparing new passwords against databases of known leaked usernames/passwords (requiring a new password to be selected if there\’s a match), modifying log-in pages to return the same error regardless of which part of the credential is invalid (username/password), contacting the user directly any time account information or credentials are changed, and using anomaly detection tools to identify unusual traffic and failed authentication attempts.
In addition to these steps, companies should consider all aspects of the National Institute of Standards and Technology\’s (NIST) revised password guidelines for 2020. This includes promoting the use of password managers by allowing long and complex passwords as well as paste functionality in password fields, ensuring all stored passwords are salted and hashed (to protect credentials in the event of a breach), and preventing the use of common, sequential, and context-specific passwords.
Finally, companies trying to protect networks against breaches should consider real-time threat detection/response and password policy enforcement software. Convincing users to adhere to credential best practices is an uphill battle, so companies should start forcing good habits programmatically.