BioCatch Warns About More Advanced Credential Stuffing Techniques

BioCatch is warning that financial institutions need to be prepared to deal with a more sophisticated kind of credential stuffing attack. In that regard, the company noted that fraudsters are no longer concerned only with raw volume, and are instead modifying their techniques in an effort to get around the latest bot detection tools.

In a credential stuffing attack, fraudsters will try to log into an account using compromised user names and passwords taken from another source. The attacks are effective because many people reuse passwords for multiple accounts, and because there is a wealth of personal information available on the dark web that can be used to power the attacks. There are also automated tools that make it easy to test multiple credentials and execute attacks at scale.

The problem (as far as fraudsters are concerned), is that those bots can move faster than any human, which makes them more visible to malware detectors. Financial institutions are getting better at spotting volume attacks, giving them an opportunity to step in when they occur.

With that in mind, fraudsters are tweaking their bots to better simulate real human behavior. For example, one recent credential stuffing attack was carried out with a bot that was programmed to wait 25 seconds between each password attempt. The fraudsters then instructed the bot to input usernames with individual keystrokes and navigate with mouse clicks to add more depth to the illusion.

BioCatch was able to identify the activity as a brute force attack because the number of attempts was still far greater than what would be expected from an actual user, and because the rate of failed logins was consistent with credential stuffing. However, they still pose a serious threat for financial institutions. Instead of carrying out one massive attack, fraudsters are now testing credentials in smaller batches, and doing so more frequently, to raise their success rate (which was as high as 23 percent in some cases). The attacks themselves originated from a trusted third-party service provider, which further masked the fraudulent activity.

For its part, BioCatch argued that behavioral biometrics can help guard against those more intelligent fraud attacks. The company’s solution analyzes factors like typing speed and mouse movement to build user profiles. As a result, it can thwart bot attacks that appear human in a more general sense because they cannot replicate the unique behavior of each specific user.

Illustrating the scope of the issue, BioCatch cited a PYMNTS study that recorded 85.42 billion credential stuffing attacks between December 2017 and November 2019. The company has since patented a new authentication system built for mobile devices.

–

May 14, 2021 – by Eric Weiss

Related News

Sponsored Links

FaceTec’s patented, industry-leading 3D Face Authentication software anchors digital identity, creating a chain of trust from user onboarding to ongoing authentication on all modern smart devices and webcams. FaceTec’s 3D FaceMaps™ make trusted, remote identity verification finally possible. As the only technology backed by a persistent spoof bounty program and NIST/iBeta Certified Liveness Detection, FaceTec is the global standard for Liveness and 3D Face Matching with millions of users on six continents in financial services, border security, transportation, blockchain, e-voting, social networks, online dating and more. www.facetec.com

TECH5 is an international technology company founded by experts from the biometrics industry, which focuses on developing disruptive biometric and digital ID solutions through the application of AI and Machine Learning technologies.

TECH5 target markets include both Government and Private sectors with products powering Civil ID, Digital ID, as well as authentication solutions that deliver identity assurance for various use cases.

Learn more: www.tech5.ai

Mobile ID World is here to bring you the latest in mobile authentication solutions and application providers. Our company is dedicated to providing users with the best content and cutting edge information on technology, news, and mobile solutions for your mobile identity management needs.

HID powers the trusted identities of the world’s people, places and things. Our trusted identity solutions give people convenient and secure access to physical and digital places and connect things that can be identified, verified and tracked digitally. Millions of people use HID products to navigate their everyday lives, and billions of things are connected through HID technology. https://www.hidglobal.com/

As the world moves to a mobile-first economy, businesses need to modernize how they acquire, engage with, and enable consumers. Prove’s phone-centric identity tokenization and passive cryptographic authentication solutions reduce friction, enhance security and privacy across all digital channels, and accelerate revenues while reducing operating expenses and fraud losses. Over 1,000 enterprise customers use Prove’s platform to process 20 billion customer requests annually across industries including banking, lending, healthcare, gaming, crypto, e-commerce, marketplaces, and payments. https://www.prove.com/

Related News

Footer

Follow Us