What plan sponsors need to know about the credential stuffing attack — and how it can be prevented

Cybersecurity threats continue to be on the rise — and plan sponsors and participants may be at risk. One threat, called credential stuffing, is an attack on online user accounts. Cybercriminals rely on automated scripts to repeatedly enter illegally obtained usernames and passwords into customer-facing financial applications. Once they break into an account, they attempt to steal funds and data, and they may also gain access to the company’s broader network.

The Security and Exchange Commission issued an alert in September 2020, noting that it’s witnessed a growing number of credential stuffing attacks on financial service firms. The trend poses a threat to retirement plan participants, especially if they use the same username and password across multiple financial accounts. Fortunately, there are steps that plan sponsors can take to reduce the risk and protect employees from getting stuffed.

The data breach afterparty

Stories of large-scale data breaches have sadly become commonplace. Mega-breaches result in the theft of personal data from millions — or even hundreds of millions — of consumers. They cost corporations significant amounts of money, damage reputations, and most importantly, put consumers at risk of fraud and identity threat. However, for cybercriminals, those breaches are just the beginning.

After stealing personally identifiable information, bad actors then place collections of the records for sale — or sometimes for free — on the dark web. This is where credential stuffing begins. Cybercriminals gain access to these collections, which can include billions of username and password combinations. Once they have these in hand, the cybercriminals write automated scripts that allow them to test the combinations on real accounts. Because so many people use similar usernames and passwords across accounts, they're hoping to strike gold — or at least access someone else's registered profile.

What’s more, these nefarious individuals also use proxy lists, which according to Wired, disperse the attempts from IP addresses around the web. That way, the activity doesn’t raise red flags for cybersecurity systems and specialists. The goal is to mimic organic logins and not raise any attention to themselves. After that point, it’s a numbers game — Wired reports that credential stuffers find matches between stolen credentials and real-life accounts between .1 and 2 percent of the time. So they try to access as many accounts as possible and then wait for a successful login.

Steps benefit providers and employers can take to prevent credential stuffing attacks

In an ideal world, plan participants — and really everyone — would use unique usernames and passwords for every financial account. But as it turns out, most of us like things that are easy to remember. In fact, 61% of consumers report that they use the same username and password across multiple accounts, and 44% change their password once a year or less.

Fortunately, there are several steps benefits providers can take to proactively protect your plan and participant data from credential stuffing and other types of cyberattacks. Here are a few of the key protocols we’ve enacted at Voya to ensure your plan and participant data is protected.

Benefits providers can employ multi-factor authentication (MFA)

With this strategy, we require multiple methods of verification from users who want to access their accounts from an unregistered device. More factors generally lead to better authentication and higher security. Additional identification factors include security questions or biometric identifiers.

The SEC does note that while MFA “can prevent bad actors from successfully logging into a customer’s account or into a system to which a staff member has access, it cannot prevent bad actors from identifying which accounts are valid user accounts on a targeted website.” Essentially, the MFA may prevent access, but criminals may still attempt to attack a website in hopes of finding a vulnerability.

Benefit providers may implement one-time passcodes

In addition to MFA — or as part of it — benefit providers may require one-time passcodes. These are passcodes sent to a mobile device to confirm a user’s attempt to login. While they add another layer of protection as a security measure, they do rely on users having access to their mobile device and properly transferring phone numbers when they switch devices. There’s also the risk that someone could attempt to transfer a phone number to a device without the user’s knowledge.

Benefit providers should deploy CAPTCHA or RECAPTCHA tools

CAPTCHA refers to Completely Automated Public Turing tests to tell Computers and Humans Apart. Voya employs CAPTCHA to ensure that automated scripts and robots can’t log in to user accounts. The tool asks the user to perform an action that proves that they are human; usually, it entails typing in a nonsense word or series of numbers and letters or identifying specific kinds of pictures.

Benefits providers should proactively monitor and prevent suspicious activity

Efforts here include implementing specific controls that detect credential stuffing attacks and then stop the activity before it becomes a problem. Your benefits providers should monitor for high numbers of log-in attempts or high numbers of failed log-in attempts. Systems can then shut down access to an account and require a phone call or verification from the user before it is reactivated.

Web Application Firewalls (WAFs) can also help identify and prevent attacks. The SEC also recommends leveraging services to monitor the dark web for collections of usernames and passwords and ensuring your plan participants aren't included. Regular tests to determine vulnerabilities in any network are also smart.

Employers can educate employees on best practices

As noted, people gravitate toward easy-to-remember usernames and passwords. That said, a little education on the topic of good password hygiene can go a long way. Employers can provide information and resources to educate employees about the risk of credential stuffing and other cybercrime as well as offer guidance for how they can protect themselves. Understanding the importance of unique passwords, not reusing passwords across financial accounts, and using a strong password locker or manager can help employees reduce their risk.

Employers should understand the security protocol of providers

Cybercrime is here to stay. But that doesn’t mean the criminals need to win. As an employer, it’s important for you to understand the steps your benefits providers have in place to protect your sensitive plan data from credential stuffing attempts and other types of cybercrime. In doing so, you can best align your practices with your providers and help ensure your plan participants are the only ones that access their financial data and accounts.

 

---

Securing your plan data through cybersecurity and fraud prevention

At Voya, we are committed to safeguarding the confidentiality and integrity of your plan from the risk of credential stuffing and other cyber threats. As a part of this effort, we have established the Voya Safe Accounts for Everyone Guarantee (S.A.F.E.®) that offers an added level of security for employers and participants. In the event assets are taken from your participants workplace retirement plan account due to unauthorized activity and through no fault of their own, we will restore the value of the account — as long as a few steps are satisfied.

We take all issues of fraud and cyber security seriously, and we are laser-focused on doing our part to maintain your trust and confidence.

Reach out to your Voya Relationship Manager to learn more about the steps we’re taking to protect your plan and participants’ information.