Experts On Credit Information Exposed In TransUnion Credit Stuffing Attack

An unauthorized person was able to gain access to a TransUnion Canada web portal and use it to pull consumer credit files using a credential stuffing attack.

Once the unauthorized user gained access to the TransUnion portal, they could perform credit searches using a consumer’s name, address, DOB, or Social Insurance Number (“SIN).

If the correct information was entered, a credit file would be shown that contains the consumer’s name, date of birth, current and past addresses, and information related to the credit, such as loan obligations, amounts owed, and payment history. Actual account numbers, though, would not be included in the report.


EXPERTS COMMENTS
Aaron Zander, Head of IT,  HackerOne
October 10, 2019
Preventing one person or one IP from submitting more than just a handful of logins or even the same one is important.
If a website is receiving an excessive amount of authentication (in the order of an exponential increase in magnitude) the site creator needs to work on how internal and external users are authenticating and how many times an identifiable browser or IP can be sent. Users can protect themselves with password managers, but it’s up the the operators of websites and apps to prevent themselves from ....
[Read More >>]
Raphael Reich, Vice President,  CyCognito
October 10, 2019
Even if you're using pen testers, they would only would see/test a fraction of the apps.
Poorly- or mis-configured authentication is what allows attacks like this to be successful. Unfortunately, because most major organizations often have hundreds or even thousands of applications, it's nearly impossible to test them all regularly and effectively for those kinds of authentication issues. Even if you're using pen testers, they would only would see/test a fraction of the apps. A WAF ....
[Read More >>]
Hicham Bouali, EMEA Manager ,  One Identity
October 10, 2019
These breaches sometimes release usernames and passwords, either plaintext or hashes, into the wild world of the dark web.
Credential Stuffing can be mitigated by adopting good password hygiene. Breaches of databases are inevitable, especially when it comes to such sensitive information as consumer credit files, which can be exploited for future criminal activity. These breaches sometimes release usernames and passwords, either plaintext or hashes, into the wild world of the dark web. The hackers then target well k ....
[Read More >>]
Rod Simmons, Vice President of Product Strategy,  STEALTHbits Technologies
October 09, 2019
We all would like to see better practices when it comes to creating secure passwords.
Even bad passwords can be improved by simply implementing two-factor authentication. We all would like to see better practices when it comes to creating secure passwords. The reality is we need a technology transformation. Any clever tricks we have to create memorable passwords are not cleaver and are comprised as part of the billions of previously compromised passwords. Start with a password mana ....
[Read More >>]
Adam Laub, CMO,  STEALTHbits Technologies
October 09, 2019
Businesses should consider validating passwords against breach dictionaries to prevent users from putting their accounts at risk.
Credential stuffing and other password guessing attacks have been so popular because they’re easy to execute and likely to work. Until users choose to or are forced to leverage unique username and password combinations across the different sites and services they leverage – or passwords are eradicated completely – these attacks will continue to be a headache. Users should consider leveraging ....
[Read More >>]
Satya Gupta, CTO,  Virsec
October 09, 2019
Compromising a credit reporting account can open up even more sensitive personal data that is quickly sold to other attackers.
Given the high likelihood that many users will reuse passwords across multiple services, techniques like credential stuffing can easily provide access to thousands of user accounts. Compromising a credit reporting account can open up even more sensitive personal data that is quickly sold to other attackers. At a minimum end-users should immediately implement strong passwords and multi-factor authe ....
[Read More >>]
Laurence Pitt, Global Security Strategy Director,  Juniper Networks
October 09, 2019
It should only have been possible to access this sensitive data remotely using a corporate device.
Whatever the cause of the attack, however, organizations need to be more careful of protecting data in all states – whether at rest or on the move. It should only have been possible to access this sensitive data remotely using a corporate device, and through a VPN client, to ensure that authentication and the records accessed could be logged. In addition the use of a CASB (Cloud Access Security ....
[Read More >>]
Javvad Malik, Security Awareness Advocate,  KnowBe4
October 09, 2019
From an enterprise perspective, it can be hard, but not impossible to detect credential stuffing attacks.
Credential stuffing attacks are popular and often successful because of how many people reuse the same password across multiple websites. Once a site is breached and the passwords obtained, attackers will try the userID and password combination against a whole host of services to try and gain access to other, often lucrative sites such as online banking. From a user perspective, they should try ....
[Read More >>]

If you are an expert on this topic:

Dot Your Expert Comments

SUBSCRIBE to alert when new comments are posted on this news. :




In this article