Only two months after releasing an alert on ransomware, The Office of Compliance Inspections and Examinations (OCIE) once again released a cybersecurity alert advising SEC registrants of an increase in cyberattacks. This time the focus was on credential stuffing. In a successful credential stuffing attempt, an attacker will gain access to client accounts, sensitive data, and the company network using stolen credentials.
Hackers have been focusing their credential stuffing attacks on institutions within financial services. They are hoping to access client accounts, personally identifiable information (PII), and financial assets. ZDNet reported that attackers used credential stuffing on a NY-based investment firm and an international money transfer platform sometime between the summer of 2019 and earlier this year. The attacks caused outages, which resulted in $2 million in lost revenue.
How Does Credential Stuffing Work?
Credential stuffing is when a hacker uses stolen credentials to gain access to user accounts and networks. Attackers create automated scripts to test thousands of credentials on multiple web applications. Hackers use tools to make it seem like their scripted login attempts are the regular activities of thousands of people. The tools make the logins appear as though they are coming from different browsers and IP addresses.
The reason credential stuffing is so successful is because many people use the same username and password for multiple accounts, e.g., their bank, email, and social media. According to INC., around 66% of Americans reuse passwords. Let’s say your employee uses the same credentials for accessing the company network and their online bank account. If a hacker breached your employee’s bank, the attacker now has user credentials for your network. This is why it’s critical to have a password policy.
Breach after Breach
Hackers can obtain user credentials using many different techniques. For a credential stuffing attack, user accounts typically come from a prior breach. Attackers may have their own database of usernames and passwords from previous hacks, or they could purchase databases from the Dark Web. Disturbingly it seems to be a growing trend for hackers to publish stolen credentials on forums for free. One of the largest stolen credential databases is known as “Collections #1-5”. According to Wired, the collections include around 2.2 billion usernames and passwords.
If a hacker can gain credentials for client accounts or your network, they will more than likely sell them on the Dark Web. Unfortunately, that means you are more likely to be breached again as a result. Data breaches are more than an inconvenience and bad public relations. Security incidents and breaches can cause damages like:
- Lost Revenue
- Litigation Fees
- Reputational Damage
- Business Closure
It can take years for a company to overcome the challenges caused by a data breach.
Protecting Client Accounts and PII
OCIE recommends the following cybersecurity practices to mitigate the risks associated with credential stuffing:
Create Strong Passwords and Do Not Reuse Them
The unfortunate truth is humans are one of the top causes of data breaches. Human behavior is often predictable, and hackers use this to their advantage. Two common password faux pas are weak passwords and reuse of passwords. Creating weak passwords makes it easier for hackers to guess your passwords. Reusing the same password for multiple accounts means that if a hacker has access to one account, they have access to all your accounts.
Protect client accounts and PII by reviewing and updating policies and procedures. Have a password policy that requires employees and clients’ passwords to be strong and regularly updated. Require users to have unique passwords for each account they access. Having strong passwords dedicated to specific accounts will limit the amount of damage a hacker can do with stolen credentials.
Implement Multi-factor Authentication
By having multi-factor authentication (MFA), a hacker would need more than a username and password to access an account. MFA requires additional factors like a code via text or application. Even if a hacker has obtained your credentials from the Dark Web, they more than likely will not have access to your phone.
When logging into your web-based email, you have probably been prompted to identify streetlights in a series of images. You may remember nervously trying to determine if a few corner pixels counted as a streetlight so that you could continue to your inbox. It’s okay; we have all been mistaken for a robot by CAPTCHA at least once. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. Just as it sounds, CAPTCHA asks users to complete a task to prove they are human and not a bot or automated script. This test prevents automated scripts containing stolen credentials from being able to access your accounts.
Actively Monitor Your Network
Some organizations don’t realize for weeks or even months that their network experienced a breach. Businesses may think because they have some form of monitoring, it will detect cybersecurity events. There are different types of monitoring, and not all systems can identify and respond to cybersecurity incidents. To detect suspicious activities and incidents, you need to actively monitor your network around the clock. Remember, hackers use tools to mask their activity as normal user behavior. Find an IT partner with cybersecurity experts who can use forensic analysis to understand the activities on your network.
Find a Cybersecurity Partner
As cybercriminal’s tactics become, more sophisticated breaches have become less about if and more about when. Stolen credentials can create a domino effect causing one breach to lead to another. Businesses need comprehensive cybersecurity solutions to mitigate their risks and stay compliant. Work with a cybersecurity partner like Coretelligent. Our CoreArmor cybersecurity solution provides real-time protection and threat intelligence to safeguard your systems and ensure you are aligned with regulatory standards.
Do you have questions about maintaining security and compliance? Coretelligent can help! Give us a call at 1-855-841-5888 or contact us today.
Read our blog for more information on OCIE’s recent ransomware alert.