Australian technology news, reviews, and guides to help you
Australian technology news, reviews, and guides to help you

How to protect against credential stuffing

Worried about your bank card or credit card being used to buy things without your permission? Credit card stuffing scams can hit big time, but there are things you can do.

Somewhere between the cost of living crisis and the number of scams we’re all dealing with on the day-to-day, keeping hold of your money isn’t easy right now. It’s not as if the past year has been any easier, but lately, it seems especially trying.

In the past few months, we’ve seen scams ramp up as scammers work to steal more from you, and the latest moves don’t even need you to do anything.

Take the bank identification number scams, where a criminal simply needs to guess your card number and start spending. It’s a hassle you shouldn’t have to deal with, but one that wastes serious money and time every year.

Australians are also dealing with credential stuffing, a concept also known as “credit card stuffing” simply because it often affect bank and credit cards left on services. The issue sees account details to merchants you rely on leaked, collected, and then seemingly broken into, with your card details then used to buy goods on those accounts for someone other than you.

It’s a problem affecting several retailers across Australia at the beginning of 2024, and one that will likely continue over the years simply because it has to do with security plain and simple.

How does credential stuffing work?

Credential stuffing sees account details leaked and collected, and than invariably shared or sold on the black market, much like old credit card numbers might have been.

Those accounts are logged in on, and if there are payment details left, those are used to buy products for someone else.

Think of credential stuffing as having your login details stolen and broken into, because that’s essentially all it is.

Why is this happening?

Unfortunately, credential stuffing occurs usually because of poor security, and often at the merchant’s end.

While many merchants and websites with logins have moved to multifactor authentication or even evolved to something more hardy such as passkeys, not everyone has.

Websites with simple password logins can have their databases breached, and that can mean emails and password logins can find their way to the hands of criminals keen on taking advantage of them.

What can you do about credential stuffing?

The fix is one that should happen at the merchant’s end, with improved security processes, but there are other things you can do.

Contact the merchant and ask for improved security

First things first, because this is a security problem, contact the merchant in question where the breach occurred and ask (or even demand) that they improve their technology.

If the service supports multi-factor authentication, ask the provider where it can be enabled, and do that immediately. And if not, ask them when they plan to implement it to protect their customers.

A login secured with multifactor would ensure that even if the login database was leaked, a scammer would need another mechanism, to be able to log in and use the account. And unless they had your phone, chances are that wouldn’t happen.

Don’t leave your details in the system

If you don’t want to risk financial loss and organisation security isn’t spectacular, consider not keeping your bank details on the merchant you’re using.

While this means ordering something the next time is a touch more inconvenient — because you’ll need to re-enter your details — it also means if someone breaks in, they won’t be able to use details that don’t exist.

Download your bank’s app and watch transactions

If you plan on leaving your details in, consider grabbing your bank’s app and making sure you pay attention to what goes out.

It’s worth noting that some banks will proactively tell you when something has been purchased and doesn’t match your regular spending patterns, which can be incredibly helpful as a means of working out whether there’s a scammer doing the dodgy. If this happens, you can lock the account and monitor the attempts, as well as attempt to cancel the charges and cancel the card.

Check your activity statement every month

Even if you don’t get notifications about a dodgy purchase, it’s a good idea to go through your activity statement monthly to see whether the purchases make sense.

It doesn’t have to be an hour long study of your financial comings and goings, but rather a few minute glance of debits to see what has left your account and if it makes sense.

If something doesn’t make sense, contact your bank and attempt to reverse the charges, before cancelling the card. It happens more than you might think, and most scammers know it won’t be checked, meaning they can get it by if you don’t check.

Checking your statement monthly doesn’t take much time, and it could just save you some money.

Read next