Skip to main content


{Threat Advisory} Consumer Account Takeover: Credential Stuffing

{Threat Advisory} Consumer Account Takeover: Credential Stuffing

SBS CyberSecurity has been made aware of a credential stuffing attack affecting financial institutions. This attack targets consumer bank accounts and has resulted in financial losses. The frequency of these attacks has increased over the past couple of months, and the attack itself is difficult to detect, as it does not readily appear on SIEM, IDS, or IPS reports. 


Who Can Be Affected? 

The attack affects financial institutions that provide online banking self-enrollment to customers WITHOUT multi-factor authentication or out-of-band authentication and targets customers that have not self-enrolled into their online banking account. 


How Does This Attack Work? 

The attacker presumably obtains customer information such as first/last name, date of birth, and social security number through dark web sites or through other online account compromises. Once an attacker has a customer’s information, the following steps occur: 

  1. The attacker completes the customer’s self-enrollment process through the financial institution’s online banking platform, effectively attaching their new online banking account to the customer’s actual bank accounts fraudulently. 

  1. Once they log in, the attacker immediately changes the existing customer’s email and phone numbers to email accounts and phone numbers the attacker controls. 

  1. The attacker accesses checking accounts, savings accounts, HELOC accounts, and others through the created online banking account and transfers the money out through ACH. 

  1. In some cases, attackers have been able to copy signature lines from check images online and use them to forge other transfer documents.

The method of how the attackers are obtaining customer information is currently unknown. However, there is intelligent speculation that attackers have created automated tools or bots that are being deployed with large databases of potential customer information to perform these attacks automatically. This technique is known as “credential stuffing.” The information obtained is being used in mass scripting of self-enrollment forms as brute force attacks on all major core providers. Core providers involved in the attacks we have seen do not appear to be blocking known-bad IP addresses to prevent these brute force attacks. 


What Can You Do? 

The most effective method to prevent this activity is to configure multi-factor authentication or out-of-band authentication for all self-enrollment of online bank accounts.

In order to set MFA up correctly, you will need to have a phone number or email address tied to the customer bank account that cannot be changed in the self-enrollment process; otherwise, it isn't true MFA. Only after the actual customer has responded to the MFA request through their validated email or phone number (collected when they set up their bank account in person physically at the bank) should the customer be allowed to change any of the information such as email or phone number. If your bank doesn't collect a proper MFA channel at the time of account creation, that is a process issue and you will need to change your account creation process to accommodate. Without the process described here, you will always be susceptible to this attack - and they will be more frequent moving forward so if you need to change the process or add additional information to existing accounts, the time is now.

It is our experience that online banking providers are making this too easy for customers and banks and not warning the banks about the potential for abuse. Additionally, the online banking provider could use blacklisting for form spamming or implement a Captcha but we aren't seeing them implement these controls at this time.


Written by: Buzz Hillestad
SVP - Information Security Consultant - SBS CyberSecurity, LLC

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Thursday, April 25, 2019
Categories: Blog