An unauthorized person was able to gain access to a TransUnion Canada web portal and use it to pull consumer credit files using a credential stuffing attack.
Once the unauthorized user gained access to the TransUnion portal, they could perform credit searches using a consumer’s name, address, DOB, or Social Insurance Number (“SIN).
If the correct information was entered, a credit file would be shown that contains the consumer’s name, date of birth, current and past addresses, and information related to the credit, such as loan obligations, amounts owed, and payment history. Actual account numbers, though, would not be included in the report.
An unauthorized person was able to gain access to a TransUnion Canada web portal and use it to pull consumer credit files: https://t.co/OarnF15sGx
— Adam Levin (@Adam_K_Levin) October 8, 2019
If a website is receiving an excessive amount of authentication (in the order of an exponential increase in magnitude) the site creator needs to work on how internal and external users are authenticating and how many times an identifiable browser or IP can be sent.
Users can protect themselves with password managers, but it’s up the the operators of websites and apps to prevent themselves from becoming test-beds for valid credentials. Preventing one person or one IP from submitting more than just a handful of logins or even the same one is important, both in the total amount they are trying and how fast they can submit. Using tools like CAPTCHA, email magic links, rate limiting, browser detection, and in general, thinking about how a login page can be abused can all contribute to removing a website from the field of play for credential testing/stuffing.
Poorly- or mis-configured authentication is what allows attacks like this to be successful. Unfortunately, because most major organizations often have hundreds or even thousands of applications, it\’s nearly impossible to test them all regularly and effectively for those kinds of authentication issues. Even if you\’re using pen testers, they would only would see/test a fraction of the apps.
A WAF or IPS might successfully identify attackers who were attempting credential stuffing using a single IP address to launch attacks, and then throttling back or blocking the credential stuffing attempts, but unfortunately, sophisticated attackers would use a botnet or botnet-like capability to avoid detection.
Credential Stuffing can be mitigated by adopting good password hygiene. Breaches of databases are inevitable, especially when it comes to such sensitive information as consumer credit files, which can be exploited for future criminal activity.
These breaches sometimes release usernames and passwords, either plaintext or hashes, into the wild world of the dark web. The hackers then target well known consumer websites with those credentials, hoping to find an account with a stored credit card for example, an account with one touch buying enabled, for example. Not using the same password across multiple websites is one way to mitigate this, so is using two factor additional authentication methods.
Organisations should make sure that access to portals that allow users to view sensitive information is secured using 2 steps authentication and well monitored and recorded, so that any suspicious activity can be detected in a timely manner. Additionally, analyzing behavioural biometrics data of users can help to identify suspicious behaviour of a particular user or entity, thus raising the alarm and – if a high risk is determined – terminate the session.
Even bad passwords can be improved by simply implementing two-factor authentication. We all would like to see better practices when it comes to creating secure passwords. The reality is we need a technology transformation. Any clever tricks we have to create memorable passwords are not cleaver and are comprised as part of the billions of previously compromised passwords. Start with a password manager and two-factor authentication whenever available.
Credential stuffing and other password guessing attacks have been so popular because they’re easy to execute and likely to work. Until users choose to or are forced to leverage unique username and password combinations across the different sites and services they leverage – or passwords are eradicated completely – these attacks will continue to be a headache. Users should consider leveraging password managers on their computers and mobile devices to eliminate the need to remember their passwords in the first place. Businesses should consider validating passwords against breach dictionaries to prevent users from putting their accounts at risk.