In September 2020 the FBI published a Private Industry Notification (PIN) warning of a sustained attack against the US Financial Sector. The PIN highlights the use of stolen credentials from 3rd party data breaches as a key ingredient in the attacks, which predominantly target exposed Application Programming Interfaces (API) due to their lack of support for Multifactor Authentication.
validate customer credential pairs against databases of known leaked usernames/passwords
Over 50,000 accounts are said to have been compromised so far during the attacks and the PIN lays out a number of recommended mitigations including “validating customer credential pairs against databases of known leaked usernames/passwords”.
Jon Inns comments: “We welcome the information from the FBI Cyber Division to help shine a light on the growing threat of credential stuffing. As the report points out, there are now so many credentials being spilled by third party applications phishing is slowly becoming unnecessary for attackers. There’s little point in trying to get someone to leak credentials via a phishing campaign when there are already billions in circulation. Why not just use those?
The mitigation advice here is helpful though, but implementing a system to locate, clean, dedupe and securely process leaked credentials is a huge undertaking, so we have released Arc to enable customers to now be able to get a system of real-time credential checking in place within a matter of hours”.
The full PIN is available here