Credential Stuffing

Credential stuffing is a cyberattack where login credentials stolen during data breaches are used on other websites and online properties to gain unauthorized access, often using bots. Credential stuffing tends to involve the use of email addresses and/or user names with the corresponding passwords.

Credential stuffing is used by criminals for Account Takeover Fraud. If an individual has used the same email address and password on two websites and those pieces of data have been stolen from one property, then the criminal can use an automated process to very rapidly gain access to the second site. iProov’s The End of the Password report found that 13% of Americans use the same password for everything, while 59% reuse passwords sometimes – so it’s easy to see the damage that could be done.

Shockingly, the US consumer banking industry faces potential losses of nearly $50m per day due to credential stuffing.

iProov’s face biometric authentication prevents credential stuffing in two ways. Firstly, face biometrics can be used in multi-factor authentication (MFA) to verify that a user with a password is indeed who they claim to be. Alternatively, iProov’s Dynamic Liveness can be used as primary authentication, because a criminal can’t steal a physical face.