In response to DailyMotion’s disclosure on Friday that it’s suffered a credential stuffing attack (which it’s reported to France’s Commission nationale de l’informatique et des libertés [CNIL] complying with GDPR requirements), four experts with OneSpan and STEALTHbits offer perspective.
DailyMotion discloses credential stuffing attack https://t.co/Wimf8r2qfa via @campuscodi
— ZDNET (@ZDNET) January 28, 2019
Scott Clements, CEO at OneSpan:
“Passwords and personal identifiable information are almost guaranteed to be exposed in ever increasingly sophisticated and frequent data breaches. It’s more important than ever to secure and protect the entire digital customer journey, and the data captured within, by taking a layered approach to security. This helps capture and analyze multiple complementary authentication factors and correlational data to establish trusted identities, devices and transactions. This is how we help our global banking customers – by making it harder for cybercriminals to capture data and commit fraud.”
Michael Magrath, Director, Global Regulations & Standards at OneSpan:
“Consumers who have not yet upgraded to multifactor authentication (MFA) to login to websites, more often than not, reuse a few static passwords across multiple websites. Given the vast number of password-related breaches over the past few years, the convenient, yet insecure reuse of static passwords exposes individuals to the credential stuffing attack used in this case. Consumers should always use MFA, where available, to add an additional layer of security to protect their privacy. Many websites support MFA today. The good news is, more and more are supporting frictionless solutions such as intelligent adaptive authentication and behavioral biometrics which balance ease of use with security.”
.
Rod Simmons, Vice President of Product Strategy, Active Directory at STEALTHbits Technologies:
“In giving users flexibility to set any desired password we fail to fix stupid. Carbon based life forms cannot trip over creating secure passwords. Our challenge as system owners is to prevent users from doing lazy and stupid things. For example, so I don’t forget my password let me include my logon name in it plus by date of birth. Users will go out of their way, unintentionally, and do the least secure thing possible. As an administrator prevent it.”
.
Martin Cannard, VP of Privileged Access Management Product Strategy at STEALTHbits Technologies:
“Sharing passwords between sites is a recipe for disaster, especially when the same credentials are used for business. One exposed password along with an exposed username/password is all it takes to for attackers to brute force their way into your account. Today there is a plethora of personal password management tools which makes the process of maintaining unique credentials a no-brainer. Keep your passwords strong and unique, and NEVER use the same password for a business as you would for personal sites.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.