While organisations busied themselves with shifting their workforce to remote work during this pandemic, many have found themselves falling victim to credential stuffing attacks as cyber criminals step up their efforts during the months of lockdowns.
At the same time, the growth of digital banking has exposed application programming interfaces (APIs), led to insecure customer mobile devices, insider fraud, and other criminal activities that have impacted the FSI sector.
According to Akamai’s latest State of the Internet (SOTI) – Phishing for Finance report, there were 193 billion credential stuffing attacks globally, with 3.4 billion hitting FSI organisations specifically. A credential stuffing attack is when the cyber attackers use lists of compromised user credentials to breach into a system with the aid of bots and is based on the assumption that users reuse their login details across multiple services.
Attackers looking to exploit human vulnerabilities in digital infrastructures
Akamai discovered that attackers have modified their phishing kits and adapted them to COVID-19 issues including government aid and work related problems such as email access or service status.
As more companies move their business-critical functions to the cloud, the potential threats to their operations become more obvious as attackers look to exploit human vulnerabilities and leverage the increased dependency on digital infrastructures.
Based on the SOTI – Phishing for Finance report, SMS Phishing (Smishing) remains as one of the primary issues plaguing the FSI sector. With SMS messaging on the rise, phishing attacks are becoming an increasingly serious concern for the FSI industry.
It is a global issue that could threaten the FSI industry’s long-term consumer trust. Should organisations not work together to curb the frequency of these phishing attacks, there is the risk of devaluing text messaging as a trusted communication service for authentication.
To further look into the threat on the FSI industry, iTNews Asia spoke to Siddharth Deshpande, Director of Security Strategy, Akamai Technologies to find out more about the evolving attacks, and what can be done to mitigate their impact.
iTNews Asia: How rampant are credential stuffing attacks in Asia, and what can be done to safeguard FSI organisations from these attacks?
Cyber criminals use readily available automation tools, botnets, and compromised account credentials to mount increasingly sophisticated and stealthy attacks. Many businesses are using multi-factor authentication (MFA) to toughen access security and fight credential theft.
Cyber security teams in every FSI organisation need to constantly consider policies, procedures, workflows, and organisations needs – all while fighting off attackers that are often well organised and well-funded. Additionally, FSI organisations need to constantly innovate and improve by adopting fluid security postures, forcing criminals to change their tactics.
Organisations need to take a fresh look at their authentication workflows and implement a multilayered security architecture that includes a robust bot management platform.
iTNews Asia: How dangerous are credential stuffing attacks for FSI organisations in the APJ region? Why should they be concerned?
Credential stuffing attacks can damage FSI organisations’ reputation and result in regulatory fines, legal payouts, and customer exits. They can also hamper the performance of their websites and online applications by overwhelming their infrastructure with bogus bot traffic.
To make matters worse, attackers are always sharpening their techniques -- distributing login attempts across thousands of bots, using proxy servers, spreading out login attempts over time to evade detection.
- Siddharth Deshpande, Director of Security Strategy, Akamai Technologies
These attacks, in turn, fuelled the credential stuffing boom, as newly collected credentials, freshly sorted data breaches, and old collections were combined, tested, traded, and sold on various markets on the web.
The new goal of attackers now is to hijack a financial institution’s digital infrastructure and to leverage that infrastructure against a bank’s users.
Hence, it is important for FSI organisations to raise security awareness, not only for their employees but continue to invest and develop a multifaceted defense strategy for their organisation to mitigate such threats.
iTNews Asia: As Smishing attacks become more sophisticated, will multi-factor authentication still be able to ensure user security? How have cyber criminals been able to bypass this authentication step? What advice can Akamai give?
Multi-factor authentication (MFA) solutions can surely help prevent unauthorised access to financial services applications and data leak of valid login credentials. MFA is certainly useful but it does not always prevent credential stuffing attacks. In some cases, MFA can prove to help attackers in executing their strike.
With the advent of digital transformation, the criminals too have evolved and become more sophisticated. This change includes elements that target 2FA and MFA protections, where victims are tricked into filling out their OTP or revealing it to the threat actor during a conversation.
With MFA implementations, users first enter a user ID and password combination, and subsequently are prompted to enter another evidence like a code sent via email or SMS. A cybercriminal can exploit MFA to verify a user ID/password combination (most MFA solutions validate the user ID/password combination before generating the challenge code).
With the user ID/password confirmed, the culprit can target the victim directly via a spear-phishing attack, sell the validated credentials on the dark web, or attempt some other malicious act.
We would certainly recommend FSI’s and businesses to introduce a multilayered, defense-in-depth security approach - combining MFA with other safeguards. For example:
- First level of defense: Multi Factor Authentication
It is important for FSI businesses to apply multi-factor authentication – the strongest standards-based verification method available – via a smartphone app. If SMS is the only option available, organisations should still enable and use it, because defenses like these make it harder for criminals to passively scan and compromise accounts.
- Bot Management Solutions for multi-layered protection
For ultimate protection against credential stuffing, a network-based bot management solution is a necessary part of a multilayered security implementation. Bad actors rely on distributed botnets to carry out complex credential stuffing attacks. Bot management solutions detect and control illegitimate bot traffic at the network edge.