After a recent spate of credential stuffing scams targeting Australian businesses affecting approximately 20,000 consumers, cybersecurity firm Barracuda Networks offers comments and insights into how such attacks work, why they are on the rise, and what measures can be applied to mitigate them.
The initial phase of such an attack involves a third-party service breach where user credentials are stolen, observes Mark Lukie, Director of Solution Architects, APAC at Barracuda Networks. "Usually, it's a combination of an email address, username, and password", Lukie says.
Post-breach, these stolen credentials are sold on the dark web, where malicious actors purchase them for use in automated credential stuffing attacks. These attacks essentially involve scripting automated login attempts on various online services, hoping these same credentials work. Lukie points out that there is a rising trend in such attacks due to a few factors. "A marketplace exists for credentials to be bought and sold, creating a lucrative revenue stream for cybercriminals", he explains.
Moreover, modern bots used to script such attacks are readily available, even for rent to other cybercriminals intending to launch similar attacks. Additionally, most consumers still practice poor password hygiene, reusing the same password for multiple online services, thus leaving them vulnerable to such forms of attack.
Matt Caffrey, Senior Solutions Architect, ANZ, states that practical solutions exist and can be pursued by retailers to secure user data better. He suggests that retailers could implement robust security measures and advise best practices around password hygiene. This includes advising customers to change passwords regularly and discouraging the reuse of passwords across different platforms.
Caffrey explains, "In response to a recent security incident affecting multiple retail stores, where an unauthorised third party gained access to customer accounts, retailers can implement robust security measures and advise best practices around password hygiene, which includes but is not exclusive to changing passwords regularly along with not reusing passwords. E.g. using the same password for Banking as a Retail Store."
"To enhance security moving forward, retail stores can implement advanced authentication methods, such as Passwordless authentication, which eliminates the need for traditional passwords. Instead, customers will receive secure, one-time authentication codes through trusted channels such as email or mobile apps. Biometric technologies, including fingerprint or facial recognition, are another great alternative."
As an added layer of security, Caffrey also recommends the possible integration of detection mechanisms to ascertain known compromised accounts from previous breaches and halt their access to the login portal page. This measure would be particularly useful in cases where customers have not implemented basic password hygiene.
"Moreover, retail stores can explore the integration of detection mechanisms where known compromised accounts via past breaches can be stopped at the login portal page, Which will provide an additional layer of security if basic password hygiene isn't implemented by the customer," said Caffrey.