Top 10 North American Bank Eliminates Credential Stuffing

How The Bank is Benefiting from Shape

  • Eliminated malicious login traffic, ensuring site availability
  • Acquired fine-grained control over financial aggregators, i.e., Plaid, Mint and Yodlee
  • Protecting customer accounts from fraud

Download (PDF)

Credential Stuffing:

An attack in which bad actors test credentials that have been stolen from third parties en masse on a target login application. Because of password reuse, 0.5%-2% of a stolen credential list will typically be valid on a target site.


The Customer: Big 5 Canadian Bank

A Big 5 Canadian bank (“Bank”) that earns over $20 Billion in annual revenue had been suffering from automated attacks on its web and mobile login applications for months.*

Bad actors were performing credential stuffing attacks on all possible channels: both the Canadian and US websites, mobile apps, and even OFX API endpoints. Not only were the attacks leading to account takeover fraud losses, but the sheer volume of attacks also put significant strain on the Bank’s infrastructure. The bank was experiencing rolling outages on both their Canadian and US websites, which prevented customers from accessing their accounts. These service outages were unacceptable to the Bank’s leadership, so the security team was determined to find a solution.

The Challenge: CDN-Provided Tool Insufficient

To mitigate the automated attacks, the Bank first deployed a CDN-provided bot mitigation tool (“vendor”). While the vendor was effective in the short-term, the solution was unable to provide long-term efficacy. The vendor relied on a rule-based system to stop attacks, but the bad actors changed tactics and bypassed those rules within hours, forcing manual configuration of the tool.

The Bank’s incident response team was exhausted by the burden of monitoring attackers and configuring new rules 24/7. After months of playing cat-and-mouse with the attackers, the Bank decided to seek out a more sophisticated solution and approached Shape.

* "Big 5" refers to 5 largest banks in Canada and is equivalent to the "Big 4" in other countries.

"A group of employees are spending 100% of their time tuning our current vendor’s solution, trying to keep up with the attacks. We need someone to fight the attackers for us."

- Director of Cybersecurity

The Evaluation: Shape vs. Vendor

The security team decided to keep the vendor’s solution in place while evaluating Shape Enterprise Defense to compare the efficacy and quality of service of the two solutions side-by-side. For the evaluation, the Bank deployed Shape Enterprise Defense on its Canadian web and mobile login applications.

There are two stages to Shape deployment: observation mode and mitigation mode. In observation mode, Shape analyzes all incoming requests to the application in order to customize its defense and ensure the best possible outcome for the customer. Once Shape and the customer are confident that no legitimate human traffic will be impacted, Shape activates mitigation mode.

Observation Mode

In observation mode, Shape found that nearly 1 out of 10 login attempts were malicious. The Bank was immediately impressed with Shape’s detection capabilities and the level of insight provided by the Intelligence team during regular briefings.

Shape can not only distinguish between malicious and legitimate login traffic, but can also group requests into different attack groups (“campaigns”) for analysis. If an attack group tries to bypass Shape by retooling, e.g., updating software or leveraging new proxies, Shape still correctly identifies the attack groups based on hundreds of other signals.

During the first week of deployment, Shape identified four separate campaigns and tracked each of their credential stuffing activity.

This is one example of the type of data Shape provided the Bank regarding a specific credential stuffing campaign. Insights include the number of IP addresses and ASNs used in a campaign as well as the campaign’s success rate, which refers to the percentage of credentials that resulted in a successful login.

Urgency to Activate Mitigation Mode

After five weeks of observation mode, the Bank suddenly became victim to an enormous, unprecedented credential stuffing campaign - the traffic volume grew to a five-time increase from any other prior attack. The Bank was extremely worried because any additional increase in traffic volume would exceed its infrastructure capabilities, which would result in the entire Canadian website going down.

After receiving inadequate help from their existing vendor, the CISO of the Bank personally called Shape with a request: transition from Observation Mode to Mitigation Mode weeks ahead of schedule to stop the debilitating attack. The Shape Professional Services team went to work - within a few hours, Shape Enterprise Defense was configured and deployed in mitigation mode on the Bank’s Canadian sites.

As soon as Shape Enterprise Defense went into mitigation mode, as depicted by the transition from yellow to red traffic in the chart above, the attack tempered down. Shape completely eliminated the flood of automated traffic from reaching the Bank’s origin server, allowing the Bank’s incident response team to stabilize traffic and ensure service availability for customers.


Future Plans: ​Full Replacement of Vendor’s Solution

Shape - through its Enterprise Defense service and Threat Intelligence team - proved superior to the vendor and successfully pinch-hit in a difficult situation. The Bank appreciated not just Shape’s efficacy, but also that Shape’s team was willing and able to deploy in the midst of a large-scale attack.

As a result of Shape successfully defending the Canadian login applications, the Bank plans on taking considerable steps into broadening their use of Shape Enterprise Defense, including:

  • Removing the original bot-mitigation vendor from all web properties
  • Expanding Shape Enterprise Defense’s coverage to 100% of web and mobile properties across all geographies
  • Augmenting fraud analytics abilities by leveraging data available in Shape’s dashboard