NY AG: All Businesses Should Take ‘Identity Stuff’ Attacks Seriously | Rivkin Radler LLP

Credential stuffing has quickly become one of the main vectors of online attacks, according to New York State Attorney General Letitia James (OAG). On January 6, 2022, the OAG announced the result of a major investigation which found that 1.1 million online accounts had been compromised through credential stuffing accounts at 17 well-known companies.

The OAG report indicates that credential stuffing is now one of the most common forms of cyberattack. Indeed, a large content delivery network reported that in 2020 it witnessed more than 193 billion credential jamming attacks. This is not a problem that is confined to large companies, however. Any business present online is at risk of falling victim to a credential jamming attack.

The ad provided a link to Business Guide for Credential Stuffing Attacks, which describes the problem and the safeguards companies need to take to protect themselves against attacks.

Credentials stuffing

Credential stuffing occurs when a malicious actor uses login information (typically usernames and passwords) stolen from a website to break into other websites. The persistent practice of using the same password on multiple websites, despite advice to the contrary, makes credential stuffing possible. Once credentials have been obtained on one site, bad actors attempt to use them elsewhere.

In a typical credential jamming attack, an attacker makes mass login attempts using hundreds of thousands, if not millions, of stolen credentials that the attacker obtained from the dark web. or on hacking forums. According to the OAG, even if only a small percentage of login attempts succeed, given the sheer volume of attempts, thousands of accounts will be compromised. Once inside, the attacker can exploit credit, bank card, or gift card, or account holder information for phishing or attacks on other accounts. The attacker can also resell the login information on the dark web.

What can be done?

According to the OAG, credential jamming attacks have become so prevalent that they are an almost inevitable risk for most businesses. The OAG offers safeguards, although not exhaustive, that can be effective for a wide range of businesses, depending on the size, complexity and sensitivity of the customer data maintained by each business. The OAG recommends that companies implement protective measures in each of the four areas:

A. Defending against credential stuffing attacks

Here are the three most effective protections against credential jamming:

1. 1. Bot detection – use of special software that identifies and blocks traffic generated by bots, even when the bot has been disguised to look like a human user
   2. Multi-Factor Authentication (MFA) – requires the user to provide two or more credentials which must include not only the user’s password, but also “something the user has” (like a mobile phone) and / or “something the user is” (such as a fingerprint or facial recognition). Typically, businesses require users to use a physical security key, authenticator app, or email, or require users to enter a one-time passcode that they receive via text, email, or email. phone
   3. Passwordless Authentication – users access their account using the criteria “something the user has” and / or “something the user is”, without using a password.

In addition to the above, the OAG suggests businesses use a variety of settings using a Web Application Firewall (WAF) and programs that prevent the reuse of previously compromised passwords. .

B. Detection of a credential stuffing violation

Because of what the OAG calls “the never-ending race of companies against attackers,” no single method can prevent all credential stuffing attacks. It is therefore recommended that every business employ methods to detect attacks when they occur.

1. 1. Since even the most sophisticated attackers leave digital footprints, such as spikes in traffic volumes and / or excessive unsuccessful login attempts, systematic and automated network traffic monitoring is an effective tool in detecting an attack.
   2. Businesses should also consider systematically monitoring customer reports and unauthorized access to discern a trend or growth in the volume of complaints. To do this, businesses need a clear and secure channel of communication that their customers can use to report concerns.
   3. Businesses should notify their customers when, based on its criteria, they observe unusual or suspicious activity on a customer’s account and ask them to confirm that they are the source of the activity.
   4. A business can use threat intelligence services, which monitor message boards and online forums for signs that a business’s credentials or accounts have been compromised.

C. Prevention of fraud and misuse of customer information

In the event that customer credentials are stolen, businesses can and should reduce the risk that an attacker could use those credentials to make fraudulent purchases or profit from the use of credentials.

1. 1. First, the OAG recommends that every business require the user to “re-authenticate” payment, credit, or gift card information at the time of purchase and not rely exclusively on information that has been stored in their user account. “Critically, businesses should require reauthentication for every payment method they accept. “
   2. It is also recommended that businesses use third-party fraud detection services that analyze customer and transaction data to identify suspicious or fraudulent transactions.
   3. Social engineering is often a component of credential jamming attacks. Attackers often successfully bypass security features, such as MFA requirements, by using social engineering techniques to convince customer service representatives to bypass protections. Companies need to develop policies and train their customer representatives on those policies to detect and avoid social engineering.
   4. With stored gift cards being some of the most attractive targets, businesses should adopt reasonable practices to protect against their unauthorized use, such as user and balance reauthentication, full number obfuscation. online gift card and limitations on transferring gift card balances. between user accounts.

D. Respond to a Credentials Jam Incident

Finally, as with all types of attacks, organizations should prepare for the inevitable credential jam attack with a written response plan. At a minimum, the intervention plan must include:

1. 1. Investigation – Suspicion that accounts receivable have been targeted should trigger a prompt investigation. The investigation should include if and how the attack occurred, which accounts were affected and what needs to be done in response.
   2. Remediation – Remediation serves two purposes: it should block any further intrusion or harm resulting from the attack in question, and it should prevent future attacks that exploit the same vulnerability.
   3. Notification – In many cases, businesses have a responsibility to notify customers when they know or have reason to believe that customer accounts have been compromised. This allows customers to update their credentials in all of their accounts and take other measures (such as a credit freeze) to protect their resources.

Notification requirements are set in a mosaic of federal and state laws depending on the location of the customer, the nature of the information accessed, and the industry in which the business operates. Companies that have purchased cyber insurance coverage may also have an obligation to notify their insurer and may receive their assistance in responding.

We recommend that you discuss any incidents with your attorney, insurance company, and information technology professionals to determine how to reduce the risk of credential jamming attacks and how to respond if one occurs. .