Credential stuffing and the increasing importance of a robust incident response plan for businesses

Whilst data breaches and cyber security attacks continue to be a threat to any organisation, more recently the spotlight has shone on the lesser-known threat of ‘credential stuffing’. In this scenario, data breaches of one business allow attackers to use stolen usernames and passwords to gain access to other accounts where the name and password are the same, and there are no additional security protection layers. If there are stored credit card or bank account details within the user account, it provides an easy means for attackers to quickly drain funds from unsuspecting users. Worse, because there is no ‘breach’ on the secondary business, the transactions may not be ‘flagged,’ and it raises the question of “who bears responsibility?”. 

Is it the primary business who was breached? Is it the secondary who did not have additional layers of security? Or is it the user who used the same username and password for multiple sites?

A case study 

This was recently the case for one of Australia’s most popular online retailers, The Iconic. Customers had their details stolen from another completely unrelated source. Leveraging automated software, attackers can pump usernames and passwords through numerous sites until they strike one without additional security layers such as multi-factor authentication and change verification. Once in, the attackers were able to change users’ account details, email addresses and delivery addresses without the users being notified, leaving the individual with just the bill that is charged to their stored card or account details.

Whilst The Iconic was not the subject of a data breach, it does bring into question the need for organisations to have additional security measures, particularly where organisations are either storing or automatically linking user accounts to credit card or banking details. It also raised the question of the appropriateness of the incident response plan enacted in the wake of the scam being identified. 

Customers were furious with the retailer’s response to phone calls and the lack of immediate action following the incident, particularly when it involved the misuse of payment data to process fraudulent transactions.

So, who is at fault?

The Iconic could argue that as their systems were not breached, they are not responsible for the misuse of user accounts. It could be countered with an argument that they are responsible for security where they chose to store users’ payment information and that the current security measures were too simplistic for such an environment. Perhaps the fault lies with the unknown source where the breach did occur? After all, it was their breakdown of security that allowed peoples passwords to be stolen in the first instance. Or perhaps the users themselves should bear responsibility for ignoring advice about not using the same passwords for multiple accounts?

In this instance, as part of their response to the incident, The Iconic issued refunds to affected customers, which assists to maintain trust and mitigate reputational damage. It would be naïve to think that this will always be the case. More recently banks have begun taking a tougher stance against refunding ‘properly authorised’ fraudulent transactions, being those where the user was scammed into transferring money to a fraudster.

Mitigating the impact of these attacks 

Regardless of responsibility, this case demonstrates the importance of effective corporate incident response plans, including thinking outside of the box, including when your business is affected by a breach that occurred elsewhere. A clear communication strategy is a critical component of any incident response plan. Importantly, it should provide for a bi-directional approach when large numbers of customers are involved. A recorded message or a vague promise to get back to them infuriates people when their hard-earned money is at stake. This is made worse when a user cannot close or cancel their account in the meantime because the attacker changed the password and locked them out.

Organisations should consider the level of additional security applied to accounts when they are storing customer credit card or other payment information by default and processing payments. Multi-factor authentication or additional verification of critical details such as a change of email, address or password is critical to maintain the security of customer accounts. 

For individuals, this incident is another reminder to be aware of the risks of online accounts, actively heed advice and not to simply rely on others to protect your personal information.

How to protect yourself online

Tuesday 6 February is Safer Internet Day, which aims to raise awareness of the need for a safer and better internet for all. To help you protect yourself online, implement our tips below: 

  • Do not use the same name and password across multiple accounts
  • Consider the need to store credit card details and other payment data on the internet. Could they be entered in each instance or use a third-party payment provider.
  • Implement multi-factor authentication, where a verification code is required on more than one device 
  • For dealing with a multitude of passwords, consider a password manager application that securely stores your passwords and is protected by a single strong password.

Due to the increase in data breaches across Australia, the federal government is pushing a new strategy for internet and data security as well as strengthening the Privacy Act to make the online environment safer for everyone. Ultimately though, responsibility does lie with us all. There is a need for both organisations and individuals to be more proactive and take responsibility for being cyber-safe.

Contact us 

To discuss how you can make your organisation more fraud resistant, get in touch with a member of the BDO Forensic Services team.