Security News

Brute Force, Credential Stuffing & DDoS Attacks on the Rise in Financial Services Sector

Brute force and credential stuffing attacks are the main cause of security incidents against financial services organizations over the past three years, with DDoS attacks in second place.

These are the findings of the F5 Security Incident Response Team (F5 SIRT), who looked at, among others, banks, credit unions, brokers, and insurance, as well as a range of organizations that serve them, including financial Software as a Service (SaaS) and payment processors, within the financial services sector.

From 2017-2019 brute force and credential stuffing attacks increased each year, averaging 41% of incidents, while DDoS averaged 32% during the same period. Other incidents that were recorded, such as web attacks (8%) and malware infections (5%), all declined.

The financial services industry is a popular target for cyber criminals, as it contains a lot of valuable information. However, it's highly regulated and organizations have compliance and regulatory pressures to safeguard systems. They are also heavily audited and, because of all these reasons, strong cybersecurity systems are in place.

As a means of circumventing these security systems, cyber criminals turn to simpler, if less efficient methods like brute force attacks (trying massive combinations of usernames and passwords until one works) and credential stuffing (using a victim's username and password across multiple services, on the assumption it's the same for some or all of them).

"Oftentimes these attacks begin with attempts against customers of the financial services organization," stated the F5 SIRT researchers, "(and) not the organization’s systems or employees."

Despite the increasing exposure of cyber crime and warning about proper online security in social and mainstream media, potential victims continue to make it easy for cyber criminals. Research shows that the passwords "123456" and "123456789" are used by nearly 30 million accounts globally, while musicians blink182, 50cent, eminem, metallica and slipknot account for a combined total of just over 920,000 passwords. And if your name is Ashley, Michael, Daniel, Jessica or Charlie, it might be time to change your password to something more secure.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.

Receive alerts for vulnerabilities, zero-days, security news and more

Try our FREE 14-day trial. See an example email

Example email for SecAlerts