Excessive reliance on multi-factor authentication (MFA) often deters users from returning to a site more You complete the MFA to sign in, then navigate to view your billing statement and get presented with MFA again, even though you’re still on your provider's platform. Yet abandoning MFA isn’t the answer either. MFA is a powerful tool, as is having a strong password policy.

Learn more about MFA Learn more about credential monitoring What would we do?

We provide an alternative perspective on the myth that 2FA makes user credentials secure so you don’t need to detect compromised creds. Traditional security measures are proving insufficient in terms of protecting consumer accounts from takeover and in reducing friction in consumer eCommerce. The Fraud Practice and myNetWatchman present this free white paper: There is no Silver Bullet: User Credentials are not Secured with 2FA Alone , which sheds light on the limitations of two-factor authentication (2FA) and emphasizes the necessity of adopting more risk aware, user-friendly security solutions. Two factor authentication is a useful tool, but it does nothing to protect the first factor of authentication: the password. This gives a level of success to credential stuffing attacks even when 2FA prevents account takeover (ATO) by validating to the attacker that the credentials used are still valid. Further, consumers don’t want 2FA on all “interactions” and 2FA is used sparingly by consumers outside of the workplace and for online or mobile banking, so it doesn’t make sense for most organizations. Stronger protection and risk mitigation at the first factor are needed, and it’s an area where most organizations stand to improve. In this free white paper, misconceptions and challenges around 2FA are discussed along with alternative ATO detection and mitigation strategies that put more emphasis on protecting the first factor of authentication. One of the areas discussed is leveraging services that detect compromised credentials and credential stuffing attacks which can enhance security while maintaining a seamless user experience for most users who present low risk. These insights help protect against unauthorized access and reduce the need for broad user-unfriendly authentication steps that cause more friction and incur a nominal fee. By adopting more nuanced, passive security measures, organizations can better protect their users without compromising on user experience. This approach not only fortifies defenses against ATO attacks but also ensures a smoother, less intrusive login process for consumers. Download the free white paper today.

A two-step MFA.

Many types of organizations rely on myNetWatchman to help protect against credential stuffing and account takeover attacks, but user account security is especially important for financial institutions (FIs). In this article, we’ll explore a recent credential stuffing attack against a financial institution, where myNetWatchman observed this attack as part of our continuous, real-time monitoring. Bad actors tend to repeat their attacks and attack patterns against many FIs, and the intent of sharing this case study is to help others recognize and defend against similar patterns when they see a credential stuffing attack. The credential stuffing attack detailed here occurred between June and August 2024, targeting a large financial institution with many consumer accounts. Let’s discuss some of the details of this attack and why these techniques and patterns are so common. For readers less familiar with the basics of credential stuffing attacks, please read our previous Blog Post on Credential Stuffing . It’s a high-volume numbers game. Credential stuffing attacks systematically test credentials (email or username and password combinations) exposed via data breaches and phishing attacks to see where else the same credential pair may be used. Although it is expected that there will be a large percentage of failures, the idea is to identify the credentials that successfully provide access to the account to extract value from this more refined list. In this credential stuffing attack, myNetWatchman observed over eight million unique usernames attempted in a 6-week period. Attackers cater to their targets. The bad actors behind this attack took into account the fact that FIs, including this one being targeted, do not typically use email addresses as usernames. Nearly all of the more than eight million usernames attempted during this credential stuffing attack were non-email usernames. The cred stuffing success rate is lower for FIs compared to eCommerce retail. However, the damage or impact of account takeover is much greater for FIs than it is for eCommerce merchants. The success rate of this credential stuffing attack was 0.1 percent , or about eight thousand of the accounts tested. This FI supports two factor authentication (2FA), but was not presenting it for all logins. We are uncertain as to how many successful login attempts from the cred stuffing attack were presented or stopped by 2FA. However, even when 2FA stops the bad actors from gaining access to the account, they have confirmed that the credentials are valid. From that point they may use phishing techniques, SIM swaps or other techniques to gain control of the email address or phone number used for authenticating with 2FA. You are rarely the first target of a credential stuffing attack. Where AllCreds provides myNetWatchman clients deep value is in knowing that credentials being attempted against them are not only compromised, but have been seen in other credential stuffing attacks. As is typically the case, a majority of the successful (able to advance to be presented 2FA) credential pairs attempted against this FI were seen previously. Nearly nine-in-ten, or 86 percent , of successful credentials used in the cred stuffing attack were previously observed by myNetWatchman. You often aren’t the first target in your industry either. More than one-quarter, 26 percent , of the valid credentials used in this credential stuffing attack were previously observed by myNetWatchman as being used against other FIs. We know that consumers have a tendency to reuse passwords. Thankfully, many realize that they should use a more secure password for access to online banking than they do other online accounts. It may be that many consumers reuse the same password across multiple online banking logins and fraudsters are exploiting this fact by testing these compromised credential pairs across multiple FIs. Or it may be that the bad actors mine their compromised credential data set for non-email usernames and strong passwords, as these are more likely to be used for online banking. They don’t know what FIs the account holders bank with, so they target many with credential stuffing attacks. It’s not a matter of if, but when. FIs will see credential stuffing attacks because the ability to take over online banking accounts is valuable to fraudsters. 2FA may prevent account takeover, but the successful credential stuffing attack is valuable to the attackers who may later target that account holder with phishing or other schemes to try and beat or circumvent 2FA. FIs need to be aware when credential stuffing attacks are occurring and know what online banking consumer accounts are using compromised credentials. myNetWatchman offers unique visibility into credential stuffing attacks, specifically as it relates to FIs. It is extremely valuable to know not only that the presented credentials are compromised, but that they are actively being tested. It is even more valuable to know that these credentials are actively being tested against other FIs. myNetWatchman provides this visibility which offers high-quality and meaningful risk signals, all built on our continuously growing data repository containing over 30 billion exposed credential pairs that protects over 550 million users for our clients.

At myNetWatchman, we see millions of email account compromises each year. Email account takeover is a dangerous starting point for further attacks such as takeover of other accounts that are using that email address as contact information, highly targeted phishing campaigns, or access to sensitive information to use later for ransom or exploitation. One of the aspects that makes email account takeover especially troublesome is that fraudsters can delete incoming emails, such as those confirming purchases or password changes, as they access other accounts associated with the compromised email. In short, an email account is the key to a consumer’s digital castle . Organizations unable to see signs that a user account’s email address may be compromised are missing out on an extremely valuable high risk signal. Businesses that use the email address as a point of contact, and especially businesses that use the email address as a method for completing 2FA, need to be aware when a user’s email address has been taken over. This renders 2FA relying on the email address insecure and is also a strong risk signal to consider when a user account attempts to change their password or other account details. Through our proprietary real-time data observations and analytics, myNetWatchman investigated the case of a Yahoo.com email account that was compromised and accessed by bad actors nearly each day over a 3-month period. During that time, over 4,000 email messages were retrieved from the inbox while the bad actor(s) performed inbox searches of 1,800 keywords. These keyword searches were telling in terms of what the bad actor was attempting to accomplish. This included searches on keywords such as: Bitcoin, Ethereum and other cryptocurrencies – These searches could unveil what trading platforms or services the email account holder uses to hold digital assets. This could lead to highly targeted phishing campaigns mimicking the platform the consumer utilizes. These same crypto trading platforms could also be targeted with credential stuffing or ATO attacks, in hopes that this compromised email address is a method used for completing two-factor authentication (2FA). PayPal and common bank names – Knowing what financial institutions and financial services companies a consumer uses enables the bad actor to craft highly targeted phishing attempts. If the bad actor sees emails with one-time passcodes for completing 2FA, the services sending these codes will also be targeted with ATO. Gift Cards and Virtual Gift Cards – often virtual gift card numbers are provided in plain text emails. Fraudsters can easily check the balances on these gift cards and spend them before the consumer does. Shipment tracking – Shipment hijacking is a common scheme where fraudsters attempt to reroute or change the delivery address on a shipment. High value or easily resold consumer products are prime targets. Loyalty programs and rewards points – Loyalty program fraud is a growing issue and something bad actors can pull off with relative ease once they take over a consumer’s account with a rewards point balance. They spend, transfer or claim the reward points balance, draining the customer’s account, resulting in frustration and brand damage. myNetWatchman’s Email Reputation service allows organizations to identify when a user’s email account has been, or is actively being, accessed by criminals. With Email Reputation an organization can get as much detail as they need for their risk decision or investigation: aggregated counts of how many different place we see bad actors testing or using the email names of the sites where it is being tested or used, if it was successful, and the dates the email was first and last seen we can share with you what the bad actor was searching for in the compromised email account Knowing if an email is compromised is a valuable signal if an organization sees account changes attempted, especially changing the username, contact email or login password. If an organization relies on email-based 2FA, then this risk signal is vital. Utilizing this as a valuable high risk signal further extends to purchase and transaction events, such as using a stored billing instrument to purchase and ship a product to a never-before-seen address. As email accounts serve as a consumer’s keys to their digital castle, understanding risk around email compromise is paramount for all organizations who leverage access to that email account as a means of verification.

use of a compromised credential pair is detected and you choose to apply multifactor authentication (MFA

As part of the settlement, 23andMe agreed to mandate Multi-Factor Authentication (MFA) going forward. However, MFA isn’t a perfect solution. While MFA does protect accounts against Account Takeover (ATO), the reality is that consumers will not Passive protections are the only method available when consumers refuse the friction of MFA, but they Reluctance to use MFA means more needs to be done to passively protect user accounts.

Interestingly, as part of the settlement, 23andMe agreed to mandate Multi-Factor Authentication (MFA) While MFA is a valuable tool, relying solely on user adoption can be challenging.