Businesses warned on rising threat of credential stuffing
Implementing a robust incident response plan is critical for businesses with cyberattacks involving ‘credential stuffing’ on the rise, cautions BDO.
Cyber security attacks using credential stuffing methods have been increasingly in the spotlight recently and highlight the need for businesses to have corporate incident response plans, according to BDO partner, forensic services, Stan Gallo.
These types of data breaches involve attackers using stolen usernames and passwords to gain access to other accounts where the name and password are the same and there are no additional security protection layers.
“If there are stored credit card or bank account details within the user account, it provides an easy means for attackers to quickly drain funds from unsuspecting users,” said Mr Gallo.
“Worse, because there is no breach on the secondary business, the transactions may not be flagged, and it raises the question of who bears responsibility?”
In these situations, Mr Gallo said it’s unclear whether it was the primary business who was breached or the secondary one, who did not have additional layers of security.
“Is it the user who used the same username and password for multiple sites?” he questioned.
Mr Gallo noted the recent attack impacting online retailer, The Iconic.
“Customers had their details stolen from another completely unrelated source. Leveraging automated software, attackers can pump usernames and passwords through numerous sites until they strike one without additional security layers such as multi-factor authentication and change verification,” he explained.
“Once in, the attackers were able to change users’ account details, email addresses and delivery addresses without the users being notified, leaving the individual with just the bill that is charged to their stored card or account details.”
Whilst the Iconic was not the subject of a data breach, Mr Gallo said attacks like these highlight the need for organisations to have additional security measures, particularly where organisations are either storing or automatically linking user accounts to credit card or banking details.
“It also raised the question of the appropriateness of the incident response plan enacted in the wake of the scam being identified,” he said.
“Customers were furious with the retailer’s response to phone calls and the lack of immediate action following the incident, particularly when it involved the misuse of payment data to process fraudulent transactions.”
Mr Gallo said this demonstrates the importance of effective corporate incident response plans, including thinking outside of the box, including when a business is affected by a breach that occurred elsewhere.
“A clear communication strategy is a critical component of any incident response plan. Importantly, it should provide for a bi-directional approach when large numbers of customers are involved,” he said.
“A recorded message or a vague promise to get back to them infuriates people when their hard-earned money is at stake. This is made worse when a user cannot close or cancel their account in the meantime because the attacker changed the password and locked them out.”
Mr Gallo said organisations should also consider the level of additional security applied to accounts when they are storing customer credit card or other payment information by default and processing payments.
“Multi-factor authentication or additional verification of critical details such as a change of email, address or password is critical to maintain the security of customer accounts,” he said.
About the author
