Credential Stuffing Claims More Victims
Insurance is the latest field to fall prey to a uniquely damaging form of account takeover (ATO) that thrives on data stolen in previous breaches.
In March of 2019, DataVisor’s Director of Research, Ting-Fang Yen, wrote about The Worrisome Rise of Credential Stuffing. In that post, she described the technique as follows:
“What makes credential stuffing unique — and uniquely concerning — is the scale. In a credential stuffing attack, fraudsters leverage massive troves of leaked legitimate user credential data to begin firing pairs of names and passwords at other sites in hopes of getting a “hit” — an instance in which a combination works, and a hacker gets into an account. Once in, the fraudster is free to eke as much value from the account as possible.”
On August 8, 2019, an article in Threatpost reported on a credential stuffing attack that targeted insurance giant State Farm. The article describes the form of attack, and notes that, while State Farm has not offered specifics about the depth of the attack’s impact, the company “services 83 million policies and accounts in the U.S.” In a follow-up post in the Credit Union Times, several fraud and security experts weighed in on how attacks of this kind can be prevented. Best practices discussed and proposed in that post include multi-factor authentication, and AI and machine learning-powered solutions.
Regarding authentication practices, we’ve seen that two-factor authentication (2FA) is often used by organizations to try and prevent credential stuffing attacks such as the one that impacted State Farm, as well as a broader array of account takeover (ATO) attack types. However, we’ve also determined that fraudsters are finding ways to bypass 2FA security measures, and observed that many organizations choose not to enable 2FA because it has a negative impact on user experience (UX). According to State Farm’s website, the company offers 2FA as an option for its users.
In a recent article published by The Paypers titled The Journey Towards Zero Factor Authentication, DataVisor Co-Founder and CEO Yinglian Xie discussed a potential next generation of authentication practices:
“The next generation platform needs to rethink digital identity and authentication in a transformative way. Advances in technology must be able to combine machine and human intelligence to deliver zero factor authentication and not n-factor authentication. Current authentication methods expose too many loopholes — third-party apps, tokens, and APIs that can be leveraged by attackers.”
As Yinglian delves further into her subject, she addresses the critical role AI can and will play in the future of fraud prevention, when she states that, “Adding more layers of authentication simply means that as an industry we have failed to build a path to building a better digital identity. As AI becomes the driver for intellectual horsepower within the organization, authentication means better security, greater trust, and personalized user journeys.”
In the letter State Farm sent its customers in the aftermath of the attack, they noted that their review process had “confirmed that no fraudulent activity occurred.” This is, of course, good news for State Farm’s community of users, but it should be noted that the downstream impact of a data breach can take months to emerge; something Yinglian wrote about in a post titled A Data Breach is Just the Beginning:
“It’s important to remember who the real victims are — all good customers. For those customers whose data was exposed in the breach, their information is at risk of being exploited to conduct various downstream attacks, causing potentially serious damage. Other service providers could be severely impacted as well, as they face increased fraudulent account opening requests from attackers with stolen credentials or synthetic IDs.”
As we think about attacks such as the one State Farm suffered, it’s important to remember that fraud attacks have both linear and circular timelines. From a linear standpoint, fraud attacks go from idea, to planning, to execution, to aftermath. In State Farm’s case, a fraudster (or fraudsters) had the idea for the attack. Then, they gathered the passwords and wrote the scripts to make the attack possible. Then, they attacked. In the aftermath, State Farm reset passwords and issued apologies and explanations. That’s the linear timeline. Seen from the circular perspective, however, there’s more to the story. The password information the State Farm attackers used probably came from a previous breach, and the information leaked in the attack will likely fuel future malicious actions. And so it goes, on and on …
On and on, until something breaks the cycle.
That’s where AI and unsupervised machine learning (UML) come in. As soon as a fraudster moves from ideation to preparation, we have the opportunity to expose their activities, and in so doing, we can prevent the next attack from launching.
