The new wave of social engineering and credential stuffing attacks are more sophisticated and leverage social coaching and click farms to steal user data. BehavioSec Product Manager, Anton Klippmark says companies can shore up their defenses against these fraud techniques by utilizing behavioral biometrics.
If history teaches us anything, it’s that the potential impact of hacks is limited only by the creativity and capabilities of the criminals behind them. And criminals have proven over and over again that they are quite formidable in consistently meeting this challenge.Â
In fact, today’s hackers have emerged as the modern equivalent of early 20th-century con men depicted in classic films like, The StingOpens a new window . Through social engineering exploits, for example, hackers pose as coworkers in authentic-looking emails seeking login credentials or employee clicks on links disguised as “urgent†invoices or interesting virtual conference recordings that instead inevitably lead the unwitting to a malware-containing site.
Another social engineering curveball hackers employ is known as “social coaching.†In this technique, victims are manipulated to actually do the damage to themselves, rather than via a malicious link or bot. A bank customer, for instance, may get a phone call from a fraudster claiming to be a bank representative using stolen information like a US Social Security number or other personal data to establish trust. Then, they direct the customer to confirm their sign-in information through a phony, but realistic-looking, push, or SMS notice. By following the instructions, the customer unknowingly reveals their credentials, allowing the fraudster to then gain full access and steal from their account. Similarly, the customer can get coached into “confirming their identity†by signing in to their account on their smartphone, only to actually authorize the fraudster’s access into the account – a common and fast-growing method in Europe used to bypass legally-mandated, Strong Customer Authentication (SCA) requirements.
Learn More: Why CISOs Should Prioritize Securing Privileged AccessÂ
Credential Stuffing & Phishing Are On a Rise Â
Ordinarily, a victim might brush off a call from their “bank†as suspicious today in an age where we do everything on screen and where more often than not, consumers initiate the contact. Yet, it is precisely the stress and distraction presented by broader social events like the COVID-19 pandemic that give the needed cover and new life to hackers and their schemes.Â
Regardless of the specific technique employed, social engineering and phishing incidents are on the rise, as 55% of global organizations experienced at least one successful phishing attackOpens a new window in 2019, with 40% indicating an increase since 2018. In reporting on the damage done, 53% claim lost data and 47% found credential or account compromises and/or a ransomware infection.
The fallout from successful phishing attacks and data breaches include credential stuffing. Credential stuffing is when hackers buy and trade massive caches of stolen credentials, and then feed them into automated tools to discover and hijack every vulnerable account using an unchanged or reused password. According to a July 2020 survey report, Akamai observed nearly 27 billionOpens a new window credential stuffing incidents in the first quarter of 2020, up 256% year-over-year from the first quarter of 2019.
To counter security teams’ efforts to block credential stuffing using “click on every picture with a traffic light†CAPTCHAs, ever-resourceful cybercriminals rely on “click farms†where people are paid to solve hundreds of CAPTCHAs a day, getting criminals “inside the gatesâ€. Once inside, they can compromise the accounts, steal data and disrupt operations.
Crooks depend on these social engineering or credential stuffing tricks, and it’s clear that traditional protection tools such as passwords, personal challenges, and CAPTCHAs alone are inadequate. Today’s organizations require an additional layer of defense in the form of what we call, behavioral biometrics. Behavioral biometrics validates users by tracking how they physically interact with devices. By collecting and analyzing data based upon how individuals hold a smartphone, type on a keyboard, move a mouse, use a touchscreen, etc., security teams can build unique, behavioral profiles that can support an unambiguous level of authentication.
Block Credential Stuffing Attacks With Behavioral BiometricsÂ
With behavioral biometrics, there are no additional passwords, CAPTCHAs or personal questions to answer. Instead of completing multiple steps, users aren’t asked to do anything. Authentication becomes an “invisible†process, enabling the seamless experience they seek. What’s more, malware can’t effectively impersonate the uniqueness of human activity – if a behavioral biometrics tool detects a threat “acting differently†than the legitimate user would, it can quickly identify the threat and flag for security intervention.
Learn More: Is Behavioral Biometrics the Answer for Digital Identity Crisis?
Given its potential to safeguard companies with the dramatic benefit of optimizing the user experience, the global behavioral biometrics market is expected to grow to $3.9Opens a new window billion USD by 2025, up from just over $720 million in 2017, according to a forecast from Allied Market Research.
So, in real life, how does behavioral biometrics actually thwart emerging credential stuffing and social engineering attacks?
Let’s first consider social coaching and how it depends on gaining and exploiting trust. By using behavioral biometrics, security teams build in-depth profiles of how company employees, managers, and executives interact with their devices throughout their normal, day-to-day tasks. So even if victims are coached to “hack themselves,†behavioral biometrics tools will reveal changes in their behavior. For instance, they may hesitate to input keystrokes because they are under stress or awaiting the hacker’s next instructions over the phone. With the telemetry showing unusual delays and input anomalies, the behavioral biometrics solution will identify the profiled behavioral change and alert security systems so they can automatically respond.
As for credential-stuffing cybercriminals using click farmworkers to solve CAPTCHA puzzles, behavioral biometrics solutions can uncover the fraud by examining the entire transaction. Instead of sending suspected bot activity to CAPTCHA challenges, harming the user experience with tool criminals bypass with click farms anyway, behavioral biometrics acts as a continuous filter – separating credential stuffing bots from legitimate users by observing navigation and interactions. As bots “type†and “move†systemically and faster (or slower) than a human being, and are less likely to commit typos or other forms of human imperfections – they are easily detected when viewed with behavioral biometrics tools. Ultimately, even a skilled human hacker can’t effectively match against the stored behavioral biometrics profiles of legitimate users. And again, automated detection triggers alerts from the behavioral biometrics solution to the security system, where it can then be investigated or blocked in real-time.
Learn More: 5 Key Differences Between Consumer and Enterprise-Grade Biometric Authentication
Wrapping UpÂ
Obviously, hackers are “practiced at the art of deception,†as the classic Rolling Stones lyric goes. Like the conmen of the prior century, they take pride in coming up with new tricks to pull off big or high-volume heists at higher profits with lower resistance and risk. Only now, criminals use apps, phones, high-speed internet access, and computation power instead of masks, disguises and phony papers.
Luckily today, we also benefit from new technologies to counter their tricks. We can use ‘confidence’ to counter the conmen’s use of our commonality, with our human characteristics and how that impacts our human-digital experience. By building detailed, individual profiles of this engagement with behavioral biometrics tools, security teams can swiftly and successfully distinguish real trust. For them and their organizations, the resulting highly-fortified state of protection ensures that The Sting remains what it should be – popcorn entertainment.
Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!