Proven Fraud and Security Executive David Montague to Succeed Lawrence Baldwin as CEO. myNetWatchman today announced the appointment of David Montague as myNetwatchman’s CEO, effective as of May 1, 2024. Mr. Montague will succeed Lawrence Baldwin, who has served as the Company’s CEO since its formation in 2001. Mr. Baldwin founded the company and will continue to be at the company as the Chief Innovation Officer working closely with Mr. Montague to ensure a smooth transition. Mr. Montague is a risk and security executive and GM with highly specialized skills in eCommerce, fintech, payments, fraud, risk and security. His skills have been leveraged into executive positions at leading technology companies like Amazon, Expedia, IBM and consulting firms like The Fraud Practice Inc. A true technology leader, David blends business acumen, empathy and technical expertise to solve the toughest challenges facing enterprises today. From growth in the age of heavy and steady cybercrime, explosive enterprise application deployments through to accelerated digital transformation. “David Montague is an executive that brings a wealth of knowledge on the fraud and security industry and he has a track record for helping emerging fraud companies to become growth companies,” said Lawrence Baldwin, Founder myNetWatchman. “I am truly honored to have the opportunity to lead myNetWatchman as we build on the foundations established by Lawrence, Jen, Rob, the leadership team, and our workforce. I see tremendous opportunity for myNetWatchman as companies are starving for more effective and customer friendly approaches to confirm identity (email, credit card, username & password) and user credentials aren't compromised. I believe this need will only grow as bad actors make more use of ATO and synthetic identities in their attacks. I will work to grow the company by introducing products that make use of the company's unique ability to see into live bad actor traffic to become the markets leader in being able to say if these key identity attributes are compromised or synthetic. " David Montague, CEO myNetWatchman Mr. Baldwin continued, “On behalf of the company, I would like to welcome David, and I look forward to working with him.” About myNetWatchman Georgia based myNetWatchman has been providing cyber fraud intelligence data for more than 20 years to retailers, financial services, insurance, and other industries. With over 10 years of live data surveillance, the company manages a continuously growing data repository containing over 30 billion exposed credential pairs and protects over 550 million users for their clients.

At myNetWatchman, we see millions of email account compromises each year. Email account takeover is a dangerous starting point for further attacks such as takeover of other accounts that are using that email address as contact information, highly targeted phishing campaigns, or access to sensitive information to use later for ransom or exploitation. One of the aspects that makes email account takeover especially troublesome is that fraudsters can delete incoming emails, such as those confirming purchases or password changes, as they access other accounts associated with the compromised email. In short, an email account is the key to a consumer’s digital castle . Organizations unable to see signs that a user account’s email address may be compromised are missing out on an extremely valuable high risk signal. Businesses that use the email address as a point of contact, and especially businesses that use the email address as a method for completing 2FA, need to be aware when a user’s email address has been taken over. This renders 2FA relying on the email address insecure and is also a strong risk signal to consider when a user account attempts to change their password or other account details. Through our proprietary real-time data observations and analytics, myNetWatchman investigated the case of a Yahoo.com email account that was compromised and accessed by bad actors nearly each day over a 3-month period. During that time, over 4,000 email messages were retrieved from the inbox while the bad actor(s) performed inbox searches of 1,800 keywords. These keyword searches were telling in terms of what the bad actor was attempting to accomplish. This included searches on keywords such as: Bitcoin, Ethereum and other cryptocurrencies – These searches could unveil what trading platforms or services the email account holder uses to hold digital assets. This could lead to highly targeted phishing campaigns mimicking the platform the consumer utilizes. These same crypto trading platforms could also be targeted with credential stuffing or ATO attacks, in hopes that this compromised email address is a method used for completing two-factor authentication (2FA). PayPal and common bank names – Knowing what financial institutions and financial services companies a consumer uses enables the bad actor to craft highly targeted phishing attempts. If the bad actor sees emails with one-time passcodes for completing 2FA, the services sending these codes will also be targeted with ATO. Gift Cards and Virtual Gift Cards – often virtual gift card numbers are provided in plain text emails. Fraudsters can easily check the balances on these gift cards and spend them before the consumer does. Shipment tracking – Shipment hijacking is a common scheme where fraudsters attempt to reroute or change the delivery address on a shipment. High value or easily resold consumer products are prime targets. Loyalty programs and rewards points – Loyalty program fraud is a growing issue and something bad actors can pull off with relative ease once they take over a consumer’s account with a rewards point balance. They spend, transfer or claim the reward points balance, draining the customer’s account, resulting in frustration and brand damage. myNetWatchman’s Email Reputation service allows organizations to identify when a user’s email account has been, or is actively being, accessed by criminals. With Email Reputation an organization can get as much detail as they need for their risk decision or investigation: aggregated counts of how many different place we see bad actors testing or using the email names of the sites where it is being tested or used, if it was successful, and the dates the email was first and last seen we can share with you what the bad actor was searching for in the compromised email account Knowing if an email is compromised is a valuable signal if an organization sees account changes attempted, especially changing the username, contact email or login password. If an organization relies on email-based 2FA, then this risk signal is vital. Utilizing this as a valuable high risk signal further extends to purchase and transaction events, such as using a stored billing instrument to purchase and ship a product to a never-before-seen address. As email accounts serve as a consumer’s keys to their digital castle, understanding risk around email compromise is paramount for all organizations who leverage access to that email account as a means of verification.

Login processes can make or break a user experience. Excessive reliance on multi-factor authentication (MFA) often deters users from returning to a site more often. You may have experienced the frustration when logging in to an account, your cable or streaming provider, for example. You complete the MFA to sign in, then navigate to view your billing statement and get presented with MFA again, even though you’re still on your provider's platform. Or if you’re a frequent online shopper, you may find yourself getting asked for MFA multiple times a week (or day!) and wondering if it is worth the hassle. You’re not alone - according to a 2021 PingIdentity survey , 56% of global consumers—and 61% of U.S. consumers—would stop using an online service if the login process became too frustrating. Worse, 65% of U.S. consumers would switch to a competitor offering easier authentication. Businesses aren’t immune to these frustrations. Employers frequently prioritize account security over user experience, assuming that a few extra seconds of MFA are negligible. But when multiplied across daily logins for hundreds or thousands of employees, this “minor” inconvenience can result in significant productivity losses and increased support costs for help desks with minimal impact on reducing security risk. MFA Exhaustion Step-up authentication methods like one-time passcodes (OTPs), mobile notifications, captchas, and security questions introduce friction that annoy users and damage the users' experience going forward. Delays in receiving codes, forgotten answers to security questions, or the need to fetch a mobile device can derail the login process entirely. And while hardware authentication tokens offer strong security, they’re impractical for many scenarios. Yet abandoning MFA isn’t the answer either. Relying solely on passwords exposes accounts to takeovers, leading to financial losses and reputational damage. We all know more isn’t always better. Sometimes better is just better. Striking a balance between security and usability is essential. MFA is a powerful tool, as is having a strong password policy. But using MFA everywhere all the time or requiring frequent password changes just leads to annoyed users. (For an in-depth discussion of MFA, read our paper or watch our webinar “There is no Silver Bullet: User Credentials are not Secured with 2FA Alone.”) The Solution: Focus on “risk based” authentication controls Organizations can no longer afford to see authentication as an all-or-nothing choice. Tools like AllCreds enable them to embrace risk-based authentication, protecting user accounts without alienating their users. By strategically applying friction only when necessary, businesses can enhance security, boost productivity, and create a login experience that works for everyone. In the battle of security versus user experience, the winner doesn’t have to be one or the other—it can be both. AllCreds takes a smarter approach by introducing friction only when it’s necessary. Powered by a vast database of over 30 billion compromised credential pairs, AllCreds detects when a user’s login credentials have been compromised elsewhere. This signals an elevated risk and justifies additional security measures like one-time passwords, security questions, other MFA approaches—but only in those instances. Here’s how it works: Behind-the-Scenes Protection : AllCreds operates invisibly, allowing most users to log in without interruption. Real-Time Risk Detection : Each day, 15 million new compromised credentials are added to AllCreds’ repository, ensuring up-to-date protection. Beyond Login Events : AllCreds can also flag compromised credentials during account creation or password changes, proactively mitigating risks. Why It Matters By tailoring authentication requirements to the risk level, AllCreds ensures that low-risk users enjoy a frictionless experience while high-risk scenarios are met with appropriate security measures. This balanced approach not only safeguards sensitive information but also improves user satisfaction and reduces churn.

myNetWatchman is delighted to welcome Sandra Feinberg as the new Head of Sales & Account Management. Sandra (Sondra) is an innovative payments and fraud prevention executive with over 20 years of experience driving sales and customer success initiatives within the financial risk and payments technology industry. Having honed her expertise at renowned companies such as Microsoft, Forter, and ACI Worldwide, Sandra brings a wealth of knowledge in enterprise deals and partner program creation. “I am excited to have Sondra join our executive team, her strong industry experience combined with her grasp of key security and fraud best practices will make her a key asset in meeting our strategic growth plans” said David Montague, CEO myNetWatchman Known for her competitive spirit and creative thinking, Sandra is a thought leader and is highly respected in the fraud protection industry. Outside of her professional achievements, she enjoys reading, boating, and spending time with her husband and their dog, Jasper, in sunny Florida. “I am excited to join myNetWatchman as Head of Sales & Account Management. As an experienced fraud fighter, I strongly believe myNetWatchman has a unique place in the market. What really drew me to the company is their ability to detect compromised customer credentials before a breach even happens. As I come from the world of pre-Auth risk for payment transactions, I think having the ability to know that an Identity has been compromised in real-time is a game changer.” Sandra Feinberg, Head of Sales & Account Management, myNetWatchman. About myNetWatchman Georgia based myNetWatchman has been providing cyber fraud intelligence data for more than 20 years to retailers, financial services, insurance, and other industries. With over 10 years of live data surveillance, the company manages a continuously growing data repository containing over 30 billion exposed credential pairs and protects over 550 million users for their clients. To learn more about myNetWatchman, please contact Sandra Feinberg at: sfeinberg@mynetwatchman.com or contactus@mynetwatchman.com .

Deciding on your strategy for protecting your company from account takeover (ATO) begins with deciding whether to rely more on prevention or remediation. Prevention maximizes your opportunity to avoid loss, brand reputation risk and customer loss but it also comes with a higher cost to implement and more friction for your customers or employees when they are really more focused on purchasing or productivity. Remediation can allow you to reduce your cost to implement along with the number of people who experience heavy security friction, but it comes with more risk of bad actors getting through and more likely than not some bad customer experience. Balancing both is a viable solution, based on your company’s product and client mix combined with your go to market strategy. The case for remediation: Focusing on remediation can mean that you’re limiting customer disruption to only those who are victims of ATO. If you have a very low likelihood of customers being targeted for ATO, a remediation-based strategy can save you the expense and effort of trying to prevent something that is unlikely to occur (low ATO frequency). Similarly, if you have very low potential loss or liability from an ATO, you can save the effort and cost of prevention (low ATO impact). Whether ATO risk is low because of low frequency or low impact, a focus on remediation not only saves on cost, but also provides a better user experience as users can avoid the friction caused by most forms of prevention. Drawbacks of a remediation-only approach: ATO can be very difficult to detect until there is an obvious loss, e.g., a customer reports a purchase they didn’t initiate. If you can’t detect the ATO until there’s a loss, bad actors with access to your systems may be stealing information (e.g., private customer details) over an extended period of time in order to commit more serious fraud, like identity theft. Customer satisfaction and your business reputation are at higher risk - we all know that unhappy customers are more likely to speak publicly than happy customers. Every ATO event is a threat to brand reputation. The case for prevention: Focusing on prevention limits the number of successful ATO events, maintaining strong brand reputation and trust among customers. Preventing ATO limits your exposure - whether that is to direct loss like refunds or chargebacks, or indirect loss of proprietary information. By definition, prevention is proactive - putting you in control of when and where to apply the preventative measures. Drawbacks of a prevention-only approach: Focusing on prevention means more users will face friction, and this will often be legitimate users at legitimate login attempts. Some prevention measures can be very difficult to implement accurately; e.g., device recognition, IP address geolocation, and user behavior pattern recognition need sophisticated technology. For workplace accounts, more friction means reduced efficiency. For consumer accounts, more friction can lead to lower sales conversion, or reduced use/access of service. Balancing your identity solution is the ultimate way to prevent bad actors from harming your business or your employees. Consider the risk of an ATO (likelihood and impact) versus the risks that come with prevention (cost and user friction). You need to weigh the factors and find the solutions that are right for your business. At myNetWatchman we have solutions for both prevention and remediation, enabling our clients to support whichever is the right mix for them. For prevention, we offer AllCreds , our credential screening service leveraging our repository of over 30 billion compromised credential pairs. This screening occurs behind the scenes and presents no friction to users, unless the use of a compromised credential pair is detected and you choose to apply multifactor authentication (MFA) or other forms of friction. You strategically apply the friction that comes with stronger forms of prevention. For remediation, we offer Web Monitoring and Email Reputation services. myNetWatchman’s Web Monitoring service monitors the web domains, email addresses, usernames, or credit card BINs (for card issuers) our clients request to have monitored so we can detect when the organization is being targeted with credential stuffing attacks via web, APIs, a portal, login page or elsewhere. Earlier detection leads to earlier remediation and less time for the bad actor to cause financial and brand damage. Email Reputation tells you if bad actors have access to an email inbox, a common point of communication for executing password resets as part of the remediation and account recovery process. myNetWatchman’s Email Reputation service makes the remediation and recovery process more secure by alerting clients when they may be sending the new password or account recovery link right into the hands of a bad actor.

The holiday season is upon us and we know that along with the increase in shopping, celebrating, and well-wishing there is also, unfortunately, an increase in fraud this time of year. Retailers are especially hard hit as fraudsters try to “get lost in the crowd” and have their activities go unnoticed amid the volume of account logins, new account openings, shipping address changes, password resets, etc. that a retailer has to deal with. We know identifying account take over can be tough, and getting it wrong this time of year can cost you a customer long term. We also know companies are relying heavily on email to “authenticate” their customer’s activity. As a matter of fact, for the past few years, we’ve seen about 30% more criminal activity in November - January versus summer months (June - August). myNetWatchman has a service to identify compromised emails and accounts and to celebrate the upcoming launch of our Email Reputation portal in Q1 2025 we have a limited time offer for companies to get a portal account to use for the 2024 holiday season. For $500.00 you can get a single user account from now through January 31, 2025. You'll get: No commitment - you’ll be charged the low introductory cost just once. When the special ends on January 31, you can let us know if you want to upgrade to a subscription. You are limited to one user but you get unlimited use - check as many email addresses as you want, as many times as you want until this special ends January 31 Full scan of our repository of 30+ billion known breached credentials for every address you input Comprehensive summary of what we’ve seen criminals doing with the email address 90 days of history showing where a criminal tried the address, and whether or not they were successful For compromised emails we can even tell you what the bad actor searched for in the email.

Email accounts are highly valued and sought after targets for bad actors and myNetWatchman data shows it. Over the past 30 days, live data monitoring shows a daily average of 7.5 million illegitimate login attempts to access an email account, targeting an average of 2.5 million unique mailboxes each day. Access to an email account is valuable to fraudsters as it is a launching point for a multitude of other attacks. In Anatomy of Email Compromise we talked about what we see bad actors do once they’ve gained access to an email account. Today we are discussing the methods we observe bad actors using to gain and maintain email account access. Email accounts are particularly vulnerable when considering the confluence of these two factors: Consumers often reuse not only passwords, but credential pairs (a password and username/email used in combination). Billions of credential pairs have been compromised in data breaches. This makes it quite easy for bad actors to simply attempt accessing email accounts by using the email and password combination compromised in any data breach. Techniques bad actors use to gain access to an email account Credential Stuffing involves attempting credential pairs compromised in one or multiple data breaches against login pages of organizations unaffiliated with the data breach where the credential pair was compromised. Often, credential stuffing attacks target a large list of organizations where a consumer may have created a user account with the same credential pair. This a high-volume attack, typically executed by bots, with a low percentage rate of success. However, even a success rate of less than one percent on millions of attempts is fruitful. Credential stuffing attacks against email accounts take a more targeted approach. Many organizations have users create accounts and login with an email address rather than a username, so when a credential pair compromised anywhere includes an email address, that tells bad actors exactly where to attempt Account Takeover (ATO) against the email inbox – they just look at the email domain. When a bad actor knows a username that is not an email, they will often attempt the username as the email address root. For example, the username Bob123 would lead to ATO attempts against Bob123@gmail.com, Bob123@outlook.com, and so on. Phishing is a form of social engineering using manipulation and deception to get the victim to do what the attacker wants, whether that is clicking a link, downloading a malicious file or giving away information. Phishing generally refers to these social engineering attempts via email, while variations like SMiShing (SMS text message-based) and Vishing (voice-based phishing, via phone calls or voicemails) employ the same tactics via different delivery methods. These typically attempt to create a sense of urgency such as saying a transaction was made or an account is being shut down. These can be very convincing and mimic real brands or organizations the victim patronizes. If the victim clicks a link or downloads a file, it may be spyware that captures credentials they enter on their device. A link may instead go to what looks like a real login page, but in reality the victim is providing their login details directly to the bad actors. Spear Phishing is an advanced form of phishing where the attacker targets a specific individual within an organization. The attacker will research the target via public information, social media and more. Targeted phishing emails will purport to be from someone the target knows and the content of the email will be plausible. They may go as far as to simultaneously coordinate a SIM swap attack, ATO of their phone number, to receive authentication codes to and get around two-factor authentication. Maintaining access to an email account Because a victim’s mailbox is so valuable and useful to a bad actor, they will spend the (relatively low) effort to keep access to the mailbox. Mainly this entails deleting anything that comes into the inbox intended to tip the true accountholder off that their email may have been accessed by someone else. This includes email notifications of a login attempt or successful login from a new device, location or IP address. The bad actor can easily delete this from not only the Inbox, but the Trash folder as well. myNetWatchman data shows that these techniques work to maintain access to the account. To test this, myNetWatchman took a random sample of 100,000 email accounts known to be recently accessed by bad actors, and could see that 30 percent of them had been compromised for more than 2 years. Email Reputation can tell organizations if an email address is being targeted by credential stuffers, and to what extent. This information helps organizations better understand risk, and act accordingly, at the login and account creation events. Email Reputation not only tells whether a given email address is being targeted by bad actors, but also: How many different passwords have been attempted in tandem with this email Against how many different sites this email has been attempted How many credential stuffing attacks against this email have been successful (provided the correct password) The timeframe of these attempts If the email inbox was accessed by a bad actor, when and for how long or how recently What the bad actor is searching for in the mailbox, shedding light on what they are likely to target next There are many actions consumers can take to better protect themselves against email ATO and it starts with using unique and secure passwords. If a consumer is using a shared password, they should assume that password has been compromised with one of the accounts that use it. The best way consumers can fight back against credential stuffing is to ensure that when any account they hold is associated with a data breach, that compromised password cannot be used against them elsewhere. It would be great if all consumers took the measures to protect their accounts themselves, but we won’t hold our breath. In the meantime, Email Reputation alerts organizations when user credentials are being targeted or at high risk.

When a credential stuffer tests multitudes of usernames and passwords and even one is successful - you now have a customer who has suffered a data breach. Your organization, like most, probably has people working hard to make sure hackers don’t breach your internal systems. But do you have a similar level of protection against breaches of your customer accounts? Many organizations think credential stuffing is low risk, or figuratively throw up their hands, citing consumers’ poor password hygiene or third party data breaches as a “there’s nothing we can do” defense. This mindset can cost you reputation, customer confidence, and as we’ve seen recently, severe fines and legal costs. The $30 million settlement related to a class action lawsuit against 23andMe should serve as a wakeup call to organizations that they can be found financially liable for neglecting to prevent credential stuffing attacks. Most coverage of the event sparking the class action suit refers to the 6.9 million 23andMe customers whose genetic testing and ancestry data was accessed. But this data breach began with credential stuffing attacks using credentials that had been compromised in various prior data breaches - credentials which consumers were reusing with their 23andMe accounts. There are several key takeaways from this class action suit and settlement. First is the amount of the fine, $30 million, $25 million of which 23andMe believes will be covered by cyber insurance. It is hard to quantify the damages to consumers whose ancestry data was compromised. The defendants in the case argued that because traditionally sought after data, like Social Security numbers, weren’t implicated that the fine should be lower. Organizations need to consider the types of data and sensitivity of the personally identifiable information (PII) they maintain for their user accounts, and the legal or liability risks associated with unauthorized access to the data. Another key takeaway comes from accusations of the plaintiffs that 23andMe should have done more to protect the accounts. As part of the settlement, 23andMe agreed to mandate Multi-Factor Authentication (MFA) going forward. This may set a precedent that organizations are responsible for protecting user accounts even when those users do not protect themselves, leaving their accounts vulnerable to credential stuffing and account takeover by reusing compromised passwords. However, MFA isn’t a perfect solution. While MFA does protect accounts against Account Takeover (ATO), the reality is that consumers will not opt-in to using it and there will be significant churn or customer attrition if it is mandated. The bottom line is that consumers don’t want additional friction and neither do companies, because it means lower sales. Organizations need to consider more passive ways to protect against credential stuffing. Passive protections are the only method available when consumers refuse the friction of MFA, but they should also be used in addition to offering MFA as a way to more strategically and selectively present it. Bad actors know and exploit the fact that consumers tend to reuse passwords. That is why they systematically carry out credential stuffing attacks to identify where else a breached credential pair is used. myNetWatchman has unique data insights into credential stuffing attacks, as we see credential stuffing on a large scale and across some of the largest web properties. Every year we observe tens of thousands of companies and websites each experiencing thousands of credential stuffing attempts. In just the past 30 days there were over 3,000 companies that were targeted. Companies need to have a way to detect and stop credential stuffing attacks, and to remediate accounts that are taken over. myNetWatchman offers services to detect that these attacks are occurring and also what accounts are at risk or compromised. Our services can screen a credential whenever it is presented and cross-check against our repository of 30 billion compromised credential pairs to see if any are at risk. This is the passive protection organizations need to detect credential stuffing and avoid the costly headaches these attacks cause. These costs go beyond potential settlement fees like the $30 million one 23andMe is facing, but also include operational costs, downtime and brand damages. A 2017 study from the Ponemon Institute estimated the annualized cost of credential stuffing attacks to be $6 million on average when just considering prevention, detection and remediation (excluding fraud losses). The average cost of fraud related losses ranges from $500,000 to $54 million, depending on what percentage of accounts suffered a monetary loss as a direct result of the credential stuffing attack. Keep in mind that these numbers would be 29 percent higher if adjusted for cumulative inflation since 2017. Further, these estimates don’t include the harder-to-quantify losses such as brand damage and lost customer lifetime value. myNetWatchman’s Web Monitoring service alerts clients to on-going credential stuffing attacks so these attacks can be identified and stopped. User accounts implicated in the attack will be identified for remediation. Our AllCreds service focuses on prevention and remediation around credential stuffing, as clients leverage our repository of over 30 billion compromised credential pairs to know when compromised credentials are presented, whether at login, account creation or password change events. Our continuous live attack monitoring adds 15 million new compromised credential pairs each day. Companies are beginning to learn the hard way that credential stuffing cannot be ignored. Reluctance to use MFA means more needs to be done to passively protect user accounts. While cases as notable as the class action suit and settlement with 23andMe result in losses larger than most will experience with credential stuffing attacks, it should serve as a stark reminder that these are troublesome and costly attacks, and that the precedent has been set that organizations need to do more to protect user accounts from credential stuffing.

The email address is the most commonly used data point to validate that someone trying to access a system is the true account holder. When we create user accounts online, the email address is always collected, and it often doubles as our username. If we need to reset our password, if a login attempt is suspicious and the organization wants to notify us, or if a one-time passcode (OTP) is sent to validate it is really us, this is done by email much, if not most, of the time. We put so much trust in the email address, but how do we know that access to the email box hasn’t already been compromised? Consumer email accounts are high-value targets to bad actors because access to an active mailbox can be a launching point for so many other attacks. The email inbox provides insights into the financial institutions, online merchants and other organizations the victim interacts with online. There are many different attacks bad actors will attempt once they have gained access to an email address. It often begins with the bad actor curating a list of sites to target with credential stuffing attacks. They will search the inbox for order confirmations or any email that shows a customer relationship. Knowing that people commonly reuse passwords, the miscreant will try the same credential pair that allowed access into the email account at many other sites and services. If a username, rather than an email address, is used at login on other sites, then this username might be contained within an old email sitting in the inbox. If the email Account Takeover (ATO) victim uses a unique password for their email account, the bad actor’s tactics may shift from credential stuffing to targeting the victim’s other accounts through password reset process flows, which are primarily completed via links sent to the account email. It is also common for bad actors to change the contact email address on file so it is more difficult for the consumer to recover their account. As the bad actor makes these account changes to gain access, they cover their tracks along the way by deleting the password reset and account change confirmation emails that arrive in the victim’s inbox. myNetWatchman’s Email Reputation service allows you to see which email accounts are compromised. It gives companies the means to know not only if an email is compromised, but also how recently the bad actor was using the mailbox and what they were trying to gain. For example, in the last 30 days Bad actors using a compromised mailbox looked for… Because… Buy Now Pay Later (BNPL) services (such as Klarna, Affirm, etc.) They could take over the accounts and make unauthorized purchases Order confirmations, promotions, coupons They can find who the victim does business with to target them for more fraud “loyalty program,” “rewards” and “points” They can transfer or redeem the rewards or points crypto trading platforms like “blockchain,” “bitcoin,” and “onekey” (an open source crypto wallet) Crypto wallets and platforms are very high-value ATO targets, and they want to ultimately drain the balance website design and hosting services like SquareSpace, Wix, etc. These are good targets for ransom attacks where a bad actor takes control of a website and takes it down, threatening to delete it forever unless a ransom is paid password managers like LastPass, NordPass, etc. Those are the miscreant’s treasure chest of all the victim’s accounts Clearly, there is a lot of damage that can be done once a consumer’s email address has been taken over. While this is of course damaging to the victim consumer, it is also a major concern for any organization using this compromised email address as contact information. If an email address is actively compromised, it is no longer a valid means of performing two factor authentication (2FA) and cannot be used to complete password reset process flows. Further, organizations cannot rely on confirmation emails to say that an account has been accessed, a password was changed, or a purchase was made and trust that the true account holder will see this notification. The bad actor who has taken over the email account is waiting for it, and will swiftly remove it from the inbox. Knowing that an email account is actively compromised greatly changes the risk profile and renders useless some of the most common methods of confirming or authenticating login access and account changes. These are valuable insights that myNetWatchman provides to clients via our Email Reputation service. Any organization that relies on the email address for 2FA, for password reset flows, or just to notify and confirm that a purchase, login or account change was legitimate, will benefit from knowing if an email address is or might be compromised. Those who offer loyalty programs, maintain stored billing instruments, protect sensitive consumer information, allow purchases on credit or maintain any type of account balance that can be spent or transferred have an elevated ATO risk exposure and will be targeted. It is only a matter of time before ATO of an email account leads to ATO attempts against the many organizations with which this consumer does business or interacts with online.

We provide an alternative perspective on the myth that 2FA makes user credentials secure so you don’t need to detect compromised creds. Traditional security measures are proving insufficient in terms of protecting consumer accounts from takeover and in reducing friction in consumer eCommerce. The Fraud Practice and myNetWatchman present this free white paper: There is no Silver Bullet: User Credentials are not Secured with 2FA Alone , which sheds light on the limitations of two-factor authentication (2FA) and emphasizes the necessity of adopting more risk aware, user-friendly security solutions. Two factor authentication is a useful tool, but it does nothing to protect the first factor of authentication: the password. This gives a level of success to credential stuffing attacks even when 2FA prevents account takeover (ATO) by validating to the attacker that the credentials used are still valid. Further, consumers don’t want 2FA on all “interactions” and 2FA is used sparingly by consumers outside of the workplace and for online or mobile banking, so it doesn’t make sense for most organizations. Stronger protection and risk mitigation at the first factor are needed, and it’s an area where most organizations stand to improve. In this free white paper, misconceptions and challenges around 2FA are discussed along with alternative ATO detection and mitigation strategies that put more emphasis on protecting the first factor of authentication. One of the areas discussed is leveraging services that detect compromised credentials and credential stuffing attacks which can enhance security while maintaining a seamless user experience for most users who present low risk. These insights help protect against unauthorized access and reduce the need for broad user-unfriendly authentication steps that cause more friction and incur a nominal fee. By adopting more nuanced, passive security measures, organizations can better protect their users without compromising on user experience. This approach not only fortifies defenses against ATO attacks but also ensures a smoother, less intrusive login process for consumers. Download the free white paper today.

End users are at the source of every login. Companies can, and do, create mechanisms to encourage people to manage their credentials – requiring lengthy passwords, or passwords with special characters or digits. But humans, comfortable with repetition, follow patterns that fraudsters can recreate when testing for valid credentials. Consumers reuse passwords, and bad actors capitalize on that It’s well known that consumers reuse passwords. Our analysis of criminal behavior shows that they know that as well. For example, the credential stuffing attack against Company M showed nearly 10% of the successful passwords were also used successfully by miscreants at other sites (get the full case study document here ). Consumers are also reluctant to change passwords. Less than half of Americans would update their password after knowing it was compromised in a data breach. You can read our in-depth report on credential and password reuse here . Consumers change passwords in predictable ways If your password policy requires it, consumers may take the time to create a strong password with numbers and special characters peppered throughout the character string. Or, they may simply append a digit or character like “!” to the end of their “default” password. More complicated passwords are more difficult to remember, and consumers may have strong passwords that they use across multiple sites. They may rely on one strong password that meets nearly all password policies and reuse that across several different logins. Attackers mimic common user password changes to test password variants This behavior is seen all across myNetWatchman data and across our live monitoring of credential stuffing activity, and we see this applied to both passwords and usernames. When a cred stuffer sees a username and password credential pair compromised in a data breach, and they see that the password is insecure (i.e. alpha characters only), they will absolutely use variations of this password when they attempt to use it in credential stuffing attacks. Bad actors performing credential stuffing attacks are often sophisticated. They use bots or scripts to automate their attacks, including the use of tumbling and swapping techniques, which refers to making slight variations in a username and/or password. A seasoned attacker will do some research to ensure they know the specifics of the password policies of the organizations they are targeting with a credential stuffing attack. They will then plan and attempt variations of the compromised password with capital letters (often the first character of the password), numeric characters and special characters (often added at the end). Here are just a few examples of what myNetWatchman sees when miscreants test passwords. Note the slight variations to the passwords. It’s unknown whether these variants were obtained through breach sets or were created by the bad actor. However, for each of these usernames, at least one of the password variations (in some cases more than one variation) was successful, allowing the bad actor access to the user’s account. Password variations for Username 1 Password variations for Username 2 Password variations for Username 3 Password variations for Username 4 Tit@s1127 Tit@s1128 Titas1126 titas1126 titas1127 Titas1127 Titas11278 Titas1128 titas1128 Carol2002 carol2002 carol2002! carol2002? Carol2002@ carol2002$ Carol2002$ Carol20021 Carol2002123 MIlc_aeroger1 MILcaeroger-912 MILcaeroger1 MIlcaeroger1 milcaeroger1 Milcaeroger1 MILcaeroger1! MILcaeroger123 Milcaeroger123 MILcaeroger345 MILcaeroger912! Patyn3ta patyn3ta Patyn3ta* patyneta Patyneta*17 Patyneta*1703 patyneta123 Patyneta123 Patyneta2511 patyneta2511 myNetWatchman has been observing criminal behavior for more than 20 years. We see the bad actors testing password variations - incrementing numbers, changing case, adding special characters. And the miscreants are having success with these passwords, because they aren’t completely random. They are variations created from known habits of people creating and changing passwords. AllCreds is myNetWatchman’s credential screening service that lets you check any credential, any time, to see if it has ever been used or tested by a criminal. Our proprietary data repository has over 30 billion compromised credential pairs and grows by 15 million new credential pairs daily.

Many types of organizations rely on myNetWatchman to help protect against credential stuffing and account takeover attacks, but user account security is especially important for financial institutions (FIs). In this article, we’ll explore a recent credential stuffing attack against a financial institution, where myNetWatchman observed this attack as part of our continuous, real-time monitoring. Bad actors tend to repeat their attacks and attack patterns against many FIs, and the intent of sharing this case study is to help others recognize and defend against similar patterns when they see a credential stuffing attack. The credential stuffing attack detailed here occurred between June and August 2024, targeting a large financial institution with many consumer accounts. Let’s discuss some of the details of this attack and why these techniques and patterns are so common. For readers less familiar with the basics of credential stuffing attacks, please read our previous Blog Post on Credential Stuffing . It’s a high-volume numbers game. Credential stuffing attacks systematically test credentials (email or username and password combinations) exposed via data breaches and phishing attacks to see where else the same credential pair may be used. Although it is expected that there will be a large percentage of failures, the idea is to identify the credentials that successfully provide access to the account to extract value from this more refined list. In this credential stuffing attack, myNetWatchman observed over eight million unique usernames attempted in a 6-week period. Attackers cater to their targets. The bad actors behind this attack took into account the fact that FIs, including this one being targeted, do not typically use email addresses as usernames. Nearly all of the more than eight million usernames attempted during this credential stuffing attack were non-email usernames. The cred stuffing success rate is lower for FIs compared to eCommerce retail. However, the damage or impact of account takeover is much greater for FIs than it is for eCommerce merchants. The success rate of this credential stuffing attack was 0.1 percent , or about eight thousand of the accounts tested. This FI supports two factor authentication (2FA), but was not presenting it for all logins. We are uncertain as to how many successful login attempts from the cred stuffing attack were presented or stopped by 2FA. However, even when 2FA stops the bad actors from gaining access to the account, they have confirmed that the credentials are valid. From that point they may use phishing techniques, SIM swaps or other techniques to gain control of the email address or phone number used for authenticating with 2FA. You are rarely the first target of a credential stuffing attack. Where AllCreds provides myNetWatchman clients deep value is in knowing that credentials being attempted against them are not only compromised, but have been seen in other credential stuffing attacks. As is typically the case, a majority of the successful (able to advance to be presented 2FA) credential pairs attempted against this FI were seen previously. Nearly nine-in-ten, or 86 percent , of successful credentials used in the cred stuffing attack were previously observed by myNetWatchman. You often aren’t the first target in your industry either. More than one-quarter, 26 percent , of the valid credentials used in this credential stuffing attack were previously observed by myNetWatchman as being used against other FIs. We know that consumers have a tendency to reuse passwords. Thankfully, many realize that they should use a more secure password for access to online banking than they do other online accounts. It may be that many consumers reuse the same password across multiple online banking logins and fraudsters are exploiting this fact by testing these compromised credential pairs across multiple FIs. Or it may be that the bad actors mine their compromised credential data set for non-email usernames and strong passwords, as these are more likely to be used for online banking. They don’t know what FIs the account holders bank with, so they target many with credential stuffing attacks. It’s not a matter of if, but when. FIs will see credential stuffing attacks because the ability to take over online banking accounts is valuable to fraudsters. 2FA may prevent account takeover, but the successful credential stuffing attack is valuable to the attackers who may later target that account holder with phishing or other schemes to try and beat or circumvent 2FA. FIs need to be aware when credential stuffing attacks are occurring and know what online banking consumer accounts are using compromised credentials. myNetWatchman offers unique visibility into credential stuffing attacks, specifically as it relates to FIs. It is extremely valuable to know not only that the presented credentials are compromised, but that they are actively being tested. It is even more valuable to know that these credentials are actively being tested against other FIs. myNetWatchman provides this visibility which offers high-quality and meaningful risk signals, all built on our continuously growing data repository containing over 30 billion exposed credential pairs that protects over 550 million users for our clients.