Accounting for the slight dip in 2019, password login attacks account for 32% of all reported SIRT incidents over the past three years. We also saw how they jumped in 2020, so we did a deeper dive into how these kinds of cyberattacks ramped up during the pandemic.

Credential Stuffing Attacks at Financial Services Organizations

Financial services organizations experienced the highest proportion of credential stuffing security incidents, at 46%. This aligns with FBI warnings that 41% of all financial sector attacks between 2017 and 2020 were due to credential stuffing. An attacker can pull off a lot of lucrative fraud once they get into someone’s bank account, such as check fraud, money transfers, bill payments, and even stealing credit card reward points. However, financial institutions have also gotten particularly good at defending their systems. So attackers are going after the weakest link: the customers. It’s hard for a financial services organization to know if a consumer is reusing their password somewhere else, especially somewhere with weaker security. What we’re seeing is attackers concentrating their efforts on seeking out the weakest link.

New York Puts Organizations on Notice About Credential Stuffing

Credential stuffing and brute force attacks exploit a security weakness of the user, or customer in this case, not necessarily a direct vulnerability in the organization. Therefore, what obligation do organizations have to protect their customers in this situation? If the customer reuses a password and that password is stolen at another site, is the place where the fraud was committed compelled to detect and block that fraud? The New York attorney general (NY-AG) says yes, they are. Specifically:

Credential stuffing has quickly become one of the most common forms of online attack. To comply with New York’s data security laws, businesses that maintain New Yorkers’ private information must take steps to address this growing threat.

With this statement came a $650,000 judgement against Dunkin′ Donuts for failing to protect consumers from credential stuffing fraud. Why a food service organization? The attackers weren’t after tasty fried dough but stored-value gift cards, which are fungible instruments easily sold on darknet markets. This made Dunkin′ Donuts look a lot more like a financial organization to attackers than a restaurant or retailer, and therefore attracted a more determined attacker. In this same judgement, the NY-AG put organizations on notice to “implement reasonable safeguards to address credential stuffing attacks” as well as “develop appropriate incident response procedures for credential stuffing attacks.”

Digging Deeper into DoS Attacks

DoS attacks mean critical systems are unavailable for hours, sometimes days on end. For any organization that depends on the Internet, which nowadays is pretty much all organizations, the cost of this rings up pretty quickly. Most DoS attacks are distributed denial-of-service (DDoS) attacks, leveraging large bot armies to flood the victim with bad traffic. Nearly a third (32%) of all F5 SIRT reported incidents annually are DoS attacks. However, the frequency is creeping up, as shown in Figure 7, with 36% of incidents reported in 2020.