Following the news that US Car Giant General Motors was hit by a credential stuffing attack last month that exposed customer information and allowed hackers to redeem points for gift cards, information security experts reacted below.
Today’s credential stuffing attacks are all run by bots. First, attackers compromise user credentials from some random site like a free email service, or buy lists from the dark web. Then they commission a botnet and instruct their bots to try the same username/password on as many other sites as possible, hoping to gain access to something financially related.
Since it appears nothing will stop people from using the same credentials on multiple sites, a two-factor authentication (2FA) challenge should be mandatory across the board. Also, this challenge should not go to an email account (since that may already be compromised,) but to a physical mobile device.
Organisations often do not turn on 2FA because they will have to pay the surcharges for millions of text messages used in the 2FA challenge.
The username and password combo does not suffice anymore, and passwords remain one of the biggest cyber challenges for both consumers and businesses. People tend to create passwords that are easy to remember, often incorporating birthdays or special dates that are usually openly disclosed on social media, where cybercriminals can easily find them. Most importantly, there is the habit of reusing the same credentials across several accounts, with minimal variations.
Regular consumers should consider using a password manager to enhance their log-in credentials with unique passwords for every account that are long and complex, however businesses should look beyond password managers and extend their perimeter access security to contractors, partners, and customers using a privileged access management solution that includes increased security controls and auditing.
Some may suggest that breaches that don\’t involve payment card numbers or SSNs are not as serious, but other information (family member names, phone numbers and addresses) is just as damaging as it will be used in future social engineering attacks and will forever place these people in danger. How easy is it to change family member names, phone numbers, and addresses? This type of attack is eminently preventable simply with better multi-factor authentication.
Exploiting password reuse for credential stuffing is a common attack vector for many data breaches and ransomware. To protect against such attacks, the use of Multi Factor Authentication (MFA) is recommended. Another strategy that can also be used in conjunction to MFA is to employ strong device posture checking and the use of an authenticating encryption. A modern VPN can implement such techniques that can isolate an end user tightly to a virtual endpoint and prevent the misuse of even legitimate credentials from a different location or endpoints creating an effective barrier against such attacks.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics