The Australian retail sector is currently encountering an elevated level of scrutiny and an escalating threat— an increase in cyberattacks specifically targeting user credentials.
This surge in cyber threats is not confined to a localised issue; rather, it underscores a more widespread challenge affecting organisations on a global scale. At the forefront of these attacks is a method known as credential stuffing, posing a substantial challenge for entities that rely on usernames and passwords as the primary means of user authentication.
The fundamental problem lies in the inherent difficulty users face in managing numerous login credentials across the multitude of websites they engage with. Faced with this challenge, individuals often succumb to the temptation of reusing passwords across different platforms, inadvertently enabling cybercriminals to gain access to their accounts.
Complicating matters further is the alarming trend of websites falling victim to hacks, resulting in the sale or free distribution of user data on the dark web. Cybercriminals understand user behaviours and tendencies, seizing this opportunity in breached data, by capitalising on password reuse. The modus operandi is to ‘credential stuff’ these stolen login details into other websites, hoping to expand their reach.
Recent incidents, such as the attacks on popular retailers like Dan Murphy’s and Guzman y Gomez, have showcased the tangible repercussions of credential stuffing. In these cases, attackers not only gained unauthorised access to user accounts but also exploited saved payment information, such as credit card details and gift cards, to make illicit purchases.
For users, the primary line of defence against credential stuffing is a commitment to not reuse passwords across multiple platforms. While the challenge of remembering multiple passwords is undeniable, the solution lies in adopting tools like password managers.
These applications not only generate complex and unique passwords for each website but also relieve users from the burden of memorising them. Though it may seem unconventional, even users who write down passwords in a password book are more secure than those who reuse passwords. With the prevalence of such tools, improving password security is not far from reach.
However, the onus doesn’t rest solely on the shoulders of users. Organisations must play a pivotal role in enhancing their security posture by protecting their users from credential stuffing attacks. One effective strategy is the implementation of multifactor authentication (MFA). By requiring users to provide additional verification actors of identification before granting access, even in the presence of stolen credentials, MFA serves as a robust defence mechanism.
Additionally, companies can proactively identify compromised passwords by comparing them against breached password datasets. This involves monitoring and analysing leaked passwords from previous breaches to identify any overlaps with their user accounts. By promptly identifying and addressing compromised passwords, organisations can thwart credential stuffing attempts before they escalate into security breaches.
While both measures are crucial, the emphasis on multifactor authentication is paramount. MFA acts as a formidable deterrent, adding an extra layer of security that significantly reduces the likelihood of successful unauthorised access. By combining something the user knows (password) with something they have (eg: a temporary code sent to a mobile device), MFA creates a dynamic defence that is challenging for attackers to overcome.
However, it should be noted that SMS-based multifactor authentication can also be thwarted, as we saw recently with the attack against the United States Securities and Exchange Commission’s Twitter account, which was the result of a concerted attack known as SIM swapping. Therefore, we encourage organisations to consider implementing MFA with an emphasis on the use of app-based authenticators.
Furthermore, organisations should prioritise educating users about the risks associated with password reuse and the benefits of adopting secure practices. Clear communication about the implementation of multifactor authentication and the use of password managers can empower users to actively contribute to the protection of their accounts.
The surge in credential stuffing attacks highlights the need for a unified response from both users and organisations. Through collaborative efforts, users and organisations can build a more resilient digital landscape, effectively thwarting the insidious threat posed by credential stuffing.
Satnam Narang is senior staff research engineer at Tenable.