Fraudsters acquire large batches of stolen credentials from phishing attacks, data breaches or by purchasing them on the dark web with the intent of using them to take over consumer accounts. In order to check credentials for successful logins at scale, fraudsters create automated scripts which can run thousands of combinations in minutes.
Most organizations have bot mitigation controls in place to detect credential stuffing and other automated attacks. To circumvent these controls, fraudsters have started to abuse legitimate open banking platform providers to test batches of credentials and reverted to testing smaller, more frequent batches instead of testing at scale.
Credential stuffing in numbers
Percentage of people who reuse the same password across multiple websites and applications
Percentage of new deposit account applications opened by bots
Estimated number of stolen credentials for sale on the dark web
Gartner®: How to Mitigate Account Takeover Risks
Account takeover attacks continue to plague digital environments despite existing authentication processes. Access the Gartner report and get recommendations on the capabilities required to build a comprehensive ATO prevention strategy that balances risk mitigation with cost and UX considerations.
Remote access attacks
Phishing site detection