Credential stuffing attacks are becoming a frequent threat as companies such as PCM, Sky, Dunkin’ Donuts, State Farm and last week Transport for London (TFL) learned with their Oyster cards. So what are they? Wikipedia says, "Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application. The attacker automates the logins for thousands to millions of previously discovered credential pairs using standard web automation tools like Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks like Sentry MBA". What can you do to prevent becoming a victim to this type of attack? Figure out a system for yourself where you have a different password for all the websites you visit. "What? I could never remember all that" ... you won't need to. Let me explain. First: Consider creating a unique e-mail address not containing your username ... and a unique password that can be used with each account. next: Start with a new Gmail account. As an example. I might create an account called [email protected] and use it as a name at various sites with the website name or the first 3 letters of the site name appended to the end. For AWS it becomes [email protected]. Gmail drops anything after the + so it's still [email protected] and any mail going to that account can be forwarded from that account to my primary account, but it's unique as a username. (Just remember that Google tracks purchases by reading your e-mails as covered in a previous weekly update.) Next consider a similar scheme for your passwords. These can be tracked in something as simple as a password manager or an encrypted spreadsheet. Put 2-factor/multi-factor authentication in place for every website that supports it. Even SMS beats just a password and authenticator mechanisms like Google Authenticator, Authy or the new open source andOTP are better options. When a website is compromised (plan on that happening these days) You won't have to worry about your other accounts being compromised too! Your comment will be posted after it is approved.
Leave a Reply. |