NY AG: All Businesses Should Take ‘Credential Stuffing’ Attacks Seriously

Credential stuffing has quickly become one of the top attack vectors online, according to the Office of New York State Attorney General Letitia James (OAG). On January 6, 2022, the OAG announced the result of a sweeping investigation that discovered that 1.1 million online accounts had been compromised through credential stuffing accounts at 17 well-known companies.

The OAG report states that credential stuffing is now one of the most common forms of cyberattack. Indeed, one large content delivery network reported that in 2020, it witnessed more than 193 billion credential stuffing attacks. It is not, however, a problem that is limited to big companies. Every business with an online presence risks falling victim to a credential stuffing attack.

The announcement provided a link to Business Guide for Credential Stuffing Attacks, which describes the problem and safeguards for businesses to take to protect themselves against attacks.

Credential Stuffing

Credential stuffing occurs when a bad actor uses log-in information, (generally usernames and passwords) stolen from one website to break into other websites. The persistent practice of using the same password across multiple websites, despite advice to the contrary, makes credential stuffing possible. Once credentials have been obtained from one site, bad actors attempt to use them elsewhere.

In a typical credential stuffing attack, an attacker makes bulk log-in attempts using hundreds of thousands, if not millions, of stolen credentials that the attacker has obtained from the dark web or hacking forums. According to the OAG, even if only a small percentage of the log-in attempts succeed, given the huge volume of the attempts, thousands of accounts will be compromised. Once in, the attacker may exploit credit, bank or gift card or accountholder information for phishing purposes or attacks on other accounts. The attacker may also resell the log-in information on the dark web.

What Can Be Done?

According to the OAG, credential stuffing attacks have become so prevalent as to be an almost unavoidable risk for most businesses. The OAG provides suggested safeguards, although not exhaustive, that may be effective for a broad range of businesses, depending on the businesses’ size, complexity and the sensitivity of customer data that each business maintains. The OAG recommends that businesses implement safeguards in each of four areas:

A. Defending against credential stuffing attacks

These are three most effective safeguards against credential stuffing:

1. 1. Bot Detection – use of special software that identifies and blocks bot-generated traffic, even when the bot has been disguised to resemble a human user
   2. Multi-Factor Authentication (MFA) – requires the user to provide two or more credentials that must include not just the user’s password, but also “something that the user has” (like a mobile phone) and/or “something that the user is” (like a fingerprint or face recognition). Typically, businesses require users to use a physical security key, an authentication app or email, or require users to enter a onetime code they receive via text message, email or phone
   3. Password-less Authentication – users access their account using the “something the user has” and/or “something the user is” criteria, without using a password.

In addition to the foregoing, the OAG suggests businesses employ a variety of settings using a Web Application Firewall (WAF) and programs that prevent the reuse of previously compromised passwords.

B. Detecting a credential stuffing breach

As a result of what the OAG refers to as businesses’ “never-ending race against attackers,” no method is likely to prevent all credential stuffing attacks. It is therefore recommended that every business employ methods to detect the attacks when they occur.

1. 1. Because even the most-sophisticated attackers leave digital footprints, such as spikes in traffic volume and/or excessive failed login attempts, automated, systemic monitoring of network traffic is an effective tool to detect an attack.
   2. Businesses should also consider systematically monitoring customer reports and unauthorized access to discern a pattern or growth in the volume of complaints. To do so, businesses need a clear, secure channel of communication that its customers may use to report their concerns.
   3. Businesses should notify their customers when, based on its criteria, they observe unusual or suspicious activity on a customer’s account and ask that the customer confirm that they were, indeed, the source of the activity.
   4. A business may employ threat intelligence services, which monitor online message boards and forums for signs that a company’s credentials or accounts have been compromised.

C. Preventing fraud and misuse of customer information

Should customers’ login credentials be stolen, businesses can and should reduce the risk that an attacker can use those credentials to make fraudulent purchases or otherwise benefit from the credentials’ use.

1. 1. First and foremost, the OAG recommends that every business require that the user “reauthenticate” the payment, credit or gift card information at the time of purchase and not rely exclusively on information that has been stored in their user account. “Critically, businesses should require reauthentication for every method of payment they accept.”
   2. It is also recommended that businesses employ third-party fraud detection services that analyze customer and transaction data to identify suspicious or fraudulent transactions.
   3. Social engineering is often a component of credential stuffing attacks. Attackers often successfully sidestep security features, like MFA requirements, by using social engineering techniques to convince customer service representatives to bypass protections. Businesses should develop policies and train their customer representatives in those polices to detect and avoid social engineering.
   4. Because stored gift cards are among the most attractive targets, businesses should enact reasonable practices to protect against their unauthorized use, such as reauthentication of the user and balance, obfuscation of the entire gift card number online, and limitations on the transfer of gift card balances between user accounts.

 D. Responding to credential stuffing incident

Finally, as with all types of attacks, businesses should prepare for the inevitable credential stuffing attack with a written response plan. At a minimum, the response plan should include:

1. 1. Investigation – The suspicion that customer accounts have been targeted should trigger a prompt investigation. The investigation should include whether and how the attack occurred, which accounts were affected, and what needs to be done in response.
   2. Remediation – Remediation has two purposes: It should block any further intrusion or harm stemming from the attack at issue and should prevent future attacks that exploit the same vulnerability.
   3. Notification – In many cases, businesses have a responsibility to notify customers when they know or have reason to believe that customers’ accounts have been compromised. This enables customers to update their credentials throughout their accounts and take other steps (such as a credit freeze) to protect their resources.

Notification requirements are defined in a patchwork of federal and state laws depending on the location of the customer, the nature of the information that has been accessed and the industry in which the business operates. Businesses that have purchased cyber-insurance coverage may also have an obligation to notify their insurance carrier and may receive its assistance in responding.

We recommend that you discuss any incident with your attorney, insurance carrier and information technology professionals to determine how to reduce the risk of credential stuffing attacks and how to respond if one should occur.