• Latest
Attorney General James Alerts 17 Companies to “Credential Stuffing” Cyberattacks Impacting More Than 1.1 Million Consumers

Attorney General James Alerts 17 Companies to “Credential Stuffing” Cyberattacks Impacting More Than 1.1 Million Consumers

January 7, 2022
Policy Abuse Fraud: What Is It and How to Protect Against It

nSure.ai Delivers Growth to Digital Commerce Leaders and Boosts YoY Revenue by 280%

January 25, 2023
Fraugster and Refurbed partner to increase approval rates and reduce fraud for refurbished electronics marketplace

Sift Appoints Former Ping Identity COO Kris Nagel as CEO

January 20, 2023
Veridos Announces Innovatrics as Strategic Partner for Advanced DNA ID Verification

Veridos Announces Innovatrics as Strategic Partner for Advanced DNA ID Verification

January 19, 2023
New Podcast Episode: Walls of Thieving Cellphones with Nethone

New Podcast: How to Stop Return Policy Abuse Fraud

January 10, 2023
How to Write a Strong Chargeback Policy: Tips to Help You Protect Your Business

How to Write a Strong Chargeback Policy: Tips to Help You Protect Your Business

January 6, 2023

Anti-money laundering: Frequently Asked Questions

January 3, 2023
Card Not Present Fraud: How Companies Lose Nearly $10 Billion Per Year

Chargeback Fraud: How to Prevent it and What to Do if it Happens

January 1, 2023
Tailgating cybersecurity threat prevention

Tailgating cybersecurity threat prevention

December 30, 2022
AuthenticID Announces Partnership with Milk & Honey Labs

Axerve Partners With ACI Worldwide to Help eCommerce Businesses Grow Revenues in the U.K.

December 27, 2022
Best Risk Management Software

Best Risk Management Software

December 26, 2022
New Podcast Episode: Walls of Thieving Cellphones with Nethone

New Podcast: Know Your Customer. Or else.

December 20, 2022
Account Takeovers

Account Takeovers

December 11, 2022
  • Contribute
  • Contact Us
  • About
  • Join Us
  • Advertise
Saturday, January 28, 2023
Merchant Fraud Journal
  • Home
  • Articles
    • Chargebacks
    • Fraud Prevention
    • Influencer Insights
  • Resources
    • Recorded Webinars
    • Podcasts
    • Vendor Directory
    • eCommerce Fraud Reports
    • Training and Certifications
    • Jobs Board
    • Associations and Non-Profits
  • News
No Result
View All Result
  • Home
  • Articles
    • Chargebacks
    • Fraud Prevention
    • Influencer Insights
  • Resources
    • Recorded Webinars
    • Podcasts
    • Vendor Directory
    • eCommerce Fraud Reports
    • Training and Certifications
    • Jobs Board
    • Associations and Non-Profits
  • News
No Result
View All Result
Merchant Fraud Journal
No Result
View All Result

Attorney General James Alerts 17 Companies to “Credential Stuffing” Cyberattacks Impacting More Than 1.1 Million Consumers

by Bradley
January 7, 2022
in News
Attorney General James Alerts 17 Companies to “Credential Stuffing” Cyberattacks Impacting More Than 1.1 Million Consumers

NEW YORK, January 5, 2022 – New York Attorney General Letitia James today announced the results of a sweeping investigation into “credential stuffing” that discovered more than 1.1 million online accounts compromised in cyberattacks at 17 well-known companies. Attorney General James released a “Business Guide for Credential Stuffing Attacks” that details the attacks — which involve repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services — and how business can protect themselves. Credential stuffing has quickly become one of the top attack vectors online. Virtually every website and app use passwords as a means of authenticating its users. Unfortunately, users tend to reuse the same passwords across multiple online services. This allows cybercriminals to use passwords stolen from one company for other online accounts. Following discovery of the attacks, the Office of the Attorney General (OAG) alerted the relevant companies so that passwords could be reset and consumers could be notified. Today’s guide shares lessons learned over the course of the OAG’s investigation, including concrete guidance on steps businesses can take to better protect against credential stuffing attacks.

“Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy,” said Attorney General James. “Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy.”

What is Credential Stuffing?

Credential stuffing is a type of cyberattack that involves attempts to log in to online accounts using username and passwords stolen from other, unrelated online services. It relies on the widespread practice of reusing passwords as, chances are, a password used on one website was also used on another.

In a typical credential stuffing attack, an attacker may submit hundreds of thousands, or even millions, of login attempts using automated, credential-stuffing software and lists of stolen credentials downloaded from the dark web or hacking forums. Although only a small percentage of these attempts will succeed, through the sheer volume of login attempts, a single attack can nevertheless yield thousands of compromised accounts.

An attacker that gains access to an account can use it in any number of ways. The attacker can, for example, view personal information associated with the account, including a name, an address, and past purchases, and use this information in a phishing attack. If the account has a stored credit card or gift card, the attacker may be able to make fraudulent purchases. Or the attacker could simply sell the login credentials to another individual on the dark web.

Credential stuffing is one of the most common forms of cyberattack. The operator of one large content delivery network reported that it witnessed more than 193 billion such attacks in 2020 alone.

The OAG’s Investigation

In light of the growing threat of credential stuffing, the OAG launched an investigation to identify businesses and consumers impacted by this attack vector. Over a period of several months, the OAG monitored several online communities dedicated to credential stuffing. The OAG found thousands of posts that contained customer login credentials that attackers had tested in a credential stuffing attack and confirmed could be used to access customer accounts at websites or on apps. From these posts, the OAG compiled credentials to compromised accounts at 17 well-known online retailers, restaurant chains, and food delivery services. In all, the OAG collected credentials for more than 1.1 million customer accounts, all of which appeared to have been compromised in credential stuffing attacks.

The OAG alerted each of the 17 companies to the compromised accounts and urged the companies to investigate and take immediate steps to protect impacted customers. Every company did so. The companies’ investigations revealed that most of the attacks had not previously been detected.

The OAG also worked with the companies to determine how attackers had circumvented existing safeguards and provided recommendations for strengthening their data security programs to better secure customer accounts in the future. Over the course of the OAG’s investigation, nearly all of the companies implemented, or made plans to implement, additional safeguards.

The OAG’s Recommendations

Credential stuffing attacks have become so prevalent that they are, for most businesses, unavoidable. Every business that maintains online customer accounts should therefore have a data security program that includes effective safeguards for protecting customers from credential stuffing attacks. Safeguards should be implemented in each of four areas:

  1. Defending against credential stuffing attacks,
  2. Detecting a credential stuffing breach,
  3. Preventing fraud and misuse of customer information, and
  4. Responding to a credential stuffing incident.

Attorney General James’ guide presents specific safeguards that have been found to be effective in each of these areas. Some highlights from the guide include the following:

  • Three safeguards were found to be highly effective at defending against credential stuffing attacks when properly implemented: 1) bot detection services, 2) multi-factor authentication, and 3) password-less authentication.
  • Because no safeguard is 100 percent effective, it is critical that businesses have an effective way of detecting attacks that have bypassed other defenses and compromised customer accounts. Most credential stuffing attacks can be identified by monitoring customer traffic for signs of attacks (for example, spikes in traffic volume of failed login attempts).
  • One of the most effective safeguards for preventing attackers from using customers’ stored payment information is re-authentication at the time of purchase by, for example, requiring customers to re-enter a credit card number or security code. It is critically important that re-authentication be required for every method of payment that a business accepts. The OAG encountered many cases in which attackers were able to exploit gaps in fraud protection by making a purchase using a payment method that did not require re-authentication.
  • Businesses should have a written incident response plan that includes processes for responding to credential stuffing attacks. The processes should include investigation (e.g., determining whether and which customer accounts were accessed), remediation (e.g., blocking attackers’ continued access to impacted accounts), and notice (e.g., alerting customers whose account were reasonably likely to have been impacted).

This matter was handled by Senior Enforcement Counsel Jordan Adler, Assistant Attorney General Hanna Baek, Internet and Technology Analyst Joe Graham, and Legal Assistant Richard Borgia — all of the Bureau of Internet and Technology, under the supervision of Deputy Bureau Chief Clark Russell and Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is overseen by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Jennifer Levy.


Source: https://ag.ny.gov/press-release/2022/attorney-general-james-alerts-17-companies-credential-stuffing-cyberattacks

Tags: credential stuffingDark Web
ShareTweetShareSend
Previous Post

Fraud Prevention Strategies for Ecommerce High Average Order Values (AOV)

Next Post

Red Dot Payment selects Radar Payments by BPC to take on global eCommerce fraud prevention

Next Post
Signifyd Partners With Capital One to Deliver Leading-Edge Fraud Protection and Drive Ecommerce Revenue to New Heights

Red Dot Payment selects Radar Payments by BPC to take on global eCommerce fraud prevention

Our Latest Reports

2022 Chargeback Consumer Survey Report

Fraud Prevention Tactics that Enable Exceptional Customer Experience

Addressing Payment Fraud and The Customer Experience in 2022

2022 Fraud Trends Report

ATO Fraud In Retail Report

2022 Customer Experience Report

3 Ways a Unified Chargeback Management and Fraud Platform Increases Revenue

Digital Trust And Safety Report: Combating the Evolving Complexities of Payment Fraud

On-Demand Webinars

Balancing Customer Experience and Fraud Prevention: What’s the Secret?

Stopping Fraud Across the Customer Lifecycle

Addressing Payment Fraud and the Customer Experience in 2022

 

Get the 2022 Fraud Trends Report

MFJ 2022 Fraud Trends Report

Search Our Site

No Result
View All Result

Our Sponsors

Featured Directory Listings

  • logo
    NoFraud
  • SEON. Fraud Fighters
  • sift logo
    Sift
  • Signifyd
  • Ekata
  • Microsoft Dynamics 365 Fraud Protection
  • PayRetailers
  • Spotrisk

Our Sponsors

Fraud Industry News

Policy Abuse Fraud: What Is It and How to Protect Against It

nSure.ai Delivers Growth to Digital Commerce Leaders and Boosts YoY Revenue by 280%

January 25, 2023
Fraugster and Refurbed partner to increase approval rates and reduce fraud for refurbished electronics marketplace

Sift Appoints Former Ping Identity COO Kris Nagel as CEO

January 20, 2023
Veridos Announces Innovatrics as Strategic Partner for Advanced DNA ID Verification

Veridos Announces Innovatrics as Strategic Partner for Advanced DNA ID Verification

January 19, 2023

Connect With Us

Quick Navigation

  • Home
  • News
  • Join Us
  • About Us
  • Contact Us
  • Advertise
  • Contribute
  • Privacy Policy

The Payments Media Network

Merchant Fraud Journal
Payments Review

Privacy Policy

Our Privacy Policy
Our Terms of Use

Resources

  • Articles
  • eCommerce Fraud Reports
  • eCommerce Fraud Webinars
  • Training and Certifications
  • Jobs Board
  • Associations and Non-Profits
  • Podcasts
  • Vendor Directory

Popular Posts

  • How to File a Claim With FedEx + What To Do If Claim is Denied

    How to File a Claim With FedEx + What To Do If Claim is Denied

    0 shares
    Share 0 Tweet 0
  • Top eCommerce Fraud Prevention Companies

    0 shares
    Share 0 Tweet 0
  • How Does Two-Factor Authentication (2FA) Work?

    0 shares
    Share 0 Tweet 0
  • How to Fight PayPal Chargeback Fraud

    0 shares
    Share 0 Tweet 0

Featured Vendors

  • NoFraud
  • SEON. Fraud Fighters
  • Sift
  • Signifyd
  • Ekata
  • Microsoft Dynamics 365 Fraud Protection
  • PayRetailers
  • Spotrisk

Download the 2022 Fraud Trends Report

No Result
View All Result
  • About Merchant Fraud Journal
    • Interested in Contributing or Guest Posting to Merchant Fraud Journal?
  • Advertise on Merchant Fraud Journal
  • Articles
    • Chargebacks
    • Fraud Prevention
    • Influencer Insights
  • Contact Us
  • Download Addressing Payment Fraud and Customer Experience Report
  • Download Chargebacks Consumer Survey Report 2022
  • Download Evolving Complexities of Payment Fraud Report
  • Download Fraud Prevention Tactics that Enable Exceptional Customer Experiences Report
  • Download the 2020 Chargeback and Representment Report
  • Download the 2020 Merchant Fraud Journal Vendor Guide
  • Download the 2021 Fraud Trends Report
  • Download the 2022 Fraud Trends Report
  • Download the 3 Ways a Unified Chargeback Management and Fraud Platform Increases Revenue Report
  • Download the MFJ 2022 Customer Experience Report
  • Download the MFJ ATO in Retail Report
  • Home
  • Job Dashboard
  • Join The Merchant Fraud Journal Community
  • Merchant Fraud Journal Advertising Agreement
  • MFJ Fraud Trends Report Giveaway
  • News
  • Post a Job
  • Privacy Policy
  • Resources
    • 2020 Chargeback Representment Guide for Merchants
    • 2020 Vendor Guide
    • 3 Ways a Unified Chargeback Management and Fraud Platform Increases Revenue
    • Addressing Payment Fraud and the Customer Experience in 2022
    • Associations and Non-Profits
    • ATO Fraud In Retail Report
    • Balancing Customer Experience and Fraud Prevention: What’s the Secret?
    • Chargebacks Consumer Survey Report 2022
    • Digital Trust & Safety: Combating the Evolving Complexities of Payment Fraud
    • eCommerce Fraud Reports
    • eCommerce Fraud Webinars
    • Fraud Prevention Tactics that Enable Exceptional Customer Experiences
    • Fraud Prevention Training and Certifications
    • How to Build a Recession Proof Chargeback Prevention Strategy
    • How to Stop Fraud During the 2022 Holiday Season
    • Jobs Board
    • Merchant Fraud Journal’s Fraud Trends 2020 Report
    • Merchant Fraud Journal’s Fraud Trends 2021 Report
    • Merchant Fraud Journal’s Fraud Trends 2022 Report
    • MFJ’s 2022 Customer Experience Report
    • Podcasts
    • Prevent High-Velocity Fraud Attacks During the 2021 Holiday Season
    • Stopping Fraud Across the Customer Lifecycle
    • Vendor Directory
    • Webinar – Addressing Payment Fraud and the Customer Experience in 2022
    • Webinar – Mitigating Fraud and Risk on the ACH Network
    • Win January Chargeback Disputes
  • Subscribed
  • Terms and Conditions

© 2021 Payments Media Solutions Canada Inc.

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?