LexisNexis Risk Solutions

October 3, 2019

Though only a blip on carriers’ security radar a few years ago, credential stuffing is on the rise. With easy access to breached data and efficient automation, cybercriminals have it even easier than before—and insurance customers may be at risk.    

As insurers strive to offer more digital offerings, credential stuffing has become a concern as fraudsters hijack customer accounts and use stolen data. According to LexisNexis Risk Solutions 2018 Cyber Crime Report, in the second half of 2018, there were 2.8 billion automated bot attacks, many of which may have been used in credential stuffing operations aimed at taking over customer accounts.

Along with possible fines, broader consequences include damage to reputation, loss of trust and the cost of remediation. Fraud now costs the insurance industry more than $250 billion annually and false claims have gone up 60% in the past four years.

Let’s have a look at credential stuffing—and what you can do to help keep your business and customers safe. 

First of All, What Is Credential Stuffing?

Hackers engage in credential stuffing when they use login credentials previously stolen from another source in an automated attack to gain access to accounts. Hackers can gain access when users repeat passwords across multiple accounts, which is highly common. In fact, this scenario that has gone up 60% in the last four years according to the 2018 Cyber Crime Report.

Why Everyone is Vulnerable

The reality of cybercrime and the increasing frequency of company security breaches means that anyone with a digital footprint is susceptible to the consequences of credential stuffing.  Here are three reasons we have identified for the uptick in credential stuffing:

1. Unsecure Passwords

With people juggling many accounts for devices, apps, programs and websites, it can be difficult to remember a different password for each one. Despite knowing better, many people use the same credentials across accounts.

2. Credential Stuffers are Clever

We don’t want to toot the horns of hackers that engage in credential stuffing but they are clever. The arsenal and methodology of hackers are ever evolving, and like a crock pot, the bots they let loose take a “low and slow” approach; but instead of producing a savory meal, it makes attacks harder to detect. That enables them to mimic authentic customer behaviors, which can allow the bots to slip under the radar.

As one would taste or check on a simmering meal—and perhaps turn the slow cooker up to “high” before serving—when hackers acquire breached credentials, they validate the data through small testing attacks. Once the credentials are validated, the major offensive is launched. Dinner is served—or in the case of a hacker, they’ve likely just stolen enough money to not have to use a crock pot ever again.

3. Nothing and No One is Off Limits

Tech-savvy crime syndicates have recently been reported to be selling user data belonging to web users who have been infected by malware and had their account passwords and full browser details recorded.

This includes browser user-agent details, WebGL signatures, HTML5 canvas fingerprints, user profiles and login credentials for banking services, file-sharing and social media—as well as the cookies associated with those accounts. Cybercriminal bot attacks leveraging this user data may start to appear nearly indistinguishable from legitimate traffic—and for just $5 per user.

Large, public companies are likely targets for infiltration. The SEC reports that at least nine publicly traded companies have recently fallen for hijacked supplier emails, leading to phony invoices being sent out. An SEC report shows that companies unwittingly paid out $30 to $45 million through wire transfers.

Why Credential Stuffing is Suddenly a Problem

With user behavior, low prices and canny project management on their side, credential stuffers have it easier than before. While the credential stuffing trend was first observed in late 2014, it continues to grow as platforms for stolen account credentials increase in popularity. More robust tools have subsequently been developed, supporting an unlimited number of custom plugins, also called ‘configs,’ which essentially offer hackers the capability to target almost any company with an online presence. What had initially started as several hundred or several thousand compromised accounts has quickly ballooned to hundreds of thousands, or even millions, of accounts.

“The glut of compromised accounts has brought the asking price for compromised accounts from $10 to a mere $1 to $2, though the overall profitability of credential stuffing attacks increased significantly through sheer volume,” according to a report published by Recorded Future. “Despite this, the success rate for credential stuffing is between 1 to 3%. The same database can then be reused over and over again to hack dozens of different websites, as users often recycle username/password pairs across different services, yielding even higher profits.”

What You Can Do to Help Keep Your Business and Customer Identities Safe

Though credential stuffing attempts don’t seem to be slowing down, it’s not all doom and gloom. Here are some, important options to consider for a cybersecure platform:

Fuel Growth and Profitability While Fending Off Fraudsters

Hijacked accounts and unwitting payouts are just the tip of the iceberg for a company affected by cybercrime. It’s an expensive mess—as Equifax was reminded of after their 2017 data breach.

As incumbent insurers look to innovate in new areas such as micro-insurance, usage-based coverage, retail finance and wealth management, it is particularly important to be aware of credential stuffing. The benefits of awareness and a proactive approach include containing costs, fending off cybercriminals and the ability to deliver a quick and efficient digital experience for customer. 

With one out of every nine new accounts being fraudulent, a key strategy to incorporate early in a customer journey is identity assessment and authentication. Though some carriers are progressing, others are slow in moving towards mitigating the threat posed by credential stuffing. Considering the potential for significant losses and continual “innovations” of the dark web, there are many incentives to spur carriers on before it’s too late.