Are you helping criminals access your customers’ information?
Passwords alone will not protect consumer information and organisations today have to be even more vigilant in preventing access to their customers’ data.
A WIDE RANGE of shopping, finance, media and consumer websites encourage customers to register an ‘account’ to store their details and payment information, and so speed up and improve their experience.
However, recent research suggests individuals now have an average of 92 online accounts, which is doubling every five years!
And as consumers often use the same user-id/password combination across tens (or even hundreds) of websites, their information is seriously at risk of breach.
The simple message is that organisations cannot offer adequate security to customers’ if they use basic password mechanisms alone.
Organisations need to consider additional measures to protect customer information from emerging threats including the cryptically-named ‘credential stuffing’.
In the past, breaking into user accounts needed advanced technical skills and a lot of free time. Organisations became aware of these traditional attack methods and typically mitigated them by blocking multiple log-in attempts, particularly when from the same IP address.
However, simpler, faster, and more effective methods now infiltrate user accounts and can access the information organisations have on their customers, staff members and operations.
As a result of previous breaches, millions of stolen credentials are readily available on online black markets, criminal forums, and publicly websites.
Attackers input these credentials into simple, automated tools to test millions of username and password combinations in seconds, ascertaining which will work on particular websites and applications.
This risk has worsened as organisations increasingly encourage customers to sign up and permit them to use their personal email address as their username, which means it’s often exactly the same between organisations.
If a staff member or a customer maintains the same password across their social media and email accounts, as is likely, they are prone to fall victim to a breach on your organisation’s platforms. And such a breach could:
- Enable financial crimes and fraud
- Provide a platform to send scam and phishing emails to customers
- Impact your organisation’s reputation in the market
- Negatively affect customers’ trust in your brand.
Example: A popular news website was compromised by attackers who obtained the login credentials of a third party, using them to place malware on the client’s website.
This then attracted site users to click on the malicious link compromising their personal credit cards. As the launch pad for this large outbreak of malware, the organisation’s reputation was severely damaged.
In addition to large financial loss, the organisation lost customer trust which had a lasting impact on its popularity in the market.
63% of confirmed data breaches involve weak, default, or stolen passwords - Verizon Data Breach Investigations Report, 2016.
The evidence is clear: Passwords are not a sufficient control to prevent “credential stuffing”!
We are online hoarders
The average number of accounts registered to one user by country:
- US – 130
- UK – 118
- France – 95
- Rest of the world – 92
The number of accounts we use is doubling every five years
Protecting your customers’ information from ‘credential stuffing’
- Consider additional forms of authentication to augment password security, such as secondary SMS, physical token or biometric/voice methods. These are particularly to confirm identity if there is activity from a new computer or device
- Test customer passwords against a dictionary of common passwords to reject those which are easy to guess
- Implement controls which prevent password ‘brute-forcing’ or ‘credential stuffing’, such as automated lock-out, or progressively increasing time-delays on repeated attempts to log-in
- Educate your staff members and customers to protect their own information, and any email accounts that are linked for the purposes of password resets.
- Ensure you have dedicated staff members to address cyber-crime and cyber awareness
- Put procedures in place for crisis management to cover both technology and business issues
- Consider your local and global breach notification requirements
- Ensure you have a cyber-threat intelligence and monitoring capability to identify any potential breaches to your customer or business data
- Understand the risk of ‘credential stuffing’
- Understand the prevalent risks in your industry.
This article was first published in Asia-Pacific Banking & Finance.