In a credential stuffing attack, stolen user name and password combinations are used to attempt multiple logins at a different organization, usually with a botnet. With as many as 65% reusing the same password for multiple or all accounts, it is important for organizations to have layered protection against these attacks. The fraudster only needs a small percentage of "hits" across a list of millions or billions of credentials to make the attack worthwhile. 

There are several ways SAS Fraud Management software rules could be used to detect credential stuffing attacks. For example, customer profiles could be developed to detect anomalies in customer logon behavior, lists of compromised email addresses could be collected from public data dumps and put in a lookup list to heighten the risk of logons on any potentially compromised accounts, and the flexibility of the rule response can be used to layer in additional authentication steps.

This technical paper examines how SAS Fraud Manager software can track logon attempts from different user IDs occuring on a device in a short period of time. Instructions for software rule parameters and rule actions are provided. 

Read the technical paper now.