Experts On Credit Information Exposed In TransUnion Credit Stuffing Attack

An unauthorized person was able to gain access to a TransUnion Canada web portal and use it to pull consumer credit files using a credential stuffing attack.

Once the unauthorized user gained access to the TransUnion portal, they could perform credit searches using a consumer’s name, address, DOB, or Social Insurance Number (“SIN).

If the correct information was entered, a credit file would be shown that contains the consumer’s name, date of birth, current and past addresses, and information related to the credit, such as loan obligations, amounts owed, and payment history. Actual account numbers, though, would not be included in the report.


EXPERTS COMMENTS
Aaron Zander, Head of IT,  HackerOne
October 10, 2019
Preventing one person or one IP from submitting more than just a handful of logins or even the same one is important.
If a website is receiving an excessive amount of authentication (in the order of an exponential increase in magnitude) the site creator needs to work on how internal and external users are authenticating and how many times an identifiable browser or IP can be sent. Users can protect themselves with password managers, but it’s up the the operators of websites and apps to prevent themselves from becoming test-beds for valid credentials. Preventing one person or one IP from submitting more than just a handful of logins or even the same one is important, both in the total amount they are trying and how fast they can submit. Using tools like CAPTCHA, email magic links, rate limiting, browser detection, and in general, thinking about how a login page can be abused can all contribute to removing a website from the field of play for credential testing/stuffing.
Raphael Reich, Vice President,  CyCognito
October 10, 2019
Even if you're using pen testers, they would only would see/test a fraction of the apps.
Poorly- or mis-configured authentication is what allows attacks like this to be successful. Unfortunately, because most major organizations often have hundreds or even thousands of applications, it's nearly impossible to test them all regularly and effectively for those kinds of authentication issues. Even if you're using pen testers, they would only would see/test a fraction of the apps. A WAF or IPS might successfully identify attackers who were attempting credential stuffing using a single IP address to launch attacks, and then throttling back or blocking the credential stuffing attempts, but unfortunately, sophisticated attackers would use a botnet or botnet-like capability to avoid detection.
Hicham Bouali, EMEA Manager ,  One Identity
October 10, 2019
These breaches sometimes release usernames and passwords, either plaintext or hashes, into the wild world of the dark web.
Credential Stuffing can be mitigated by adopting good password hygiene. Breaches of databases are inevitable, especially when it comes to such sensitive information as consumer credit files, which can be exploited for future criminal activity. These breaches sometimes release usernames and passwords, either plaintext or hashes, into the wild world of the dark web. The hackers then target well known consumer websites with those credentials, hoping to find an account with a stored credit card for example, an account with one touch buying enabled, for example. Not using the same password across multiple websites is one way to mitigate this, so is using two factor additional authentication methods. Organisations should make sure that access to portals that allow users to view sensitive information is secured using 2 steps authentication and well monitored and recorded, so that any suspicious activity can be detected in a timely manner. Additionally, analyzing behavioural biometrics data of users can help to identify suspicious behaviour of a particular user or entity, thus raising the alarm and – if a high risk is determined – terminate the session.
Rod Simmons, Vice President of Product Strategy,  STEALTHbits Technologies
October 09, 2019
We all would like to see better practices when it comes to creating secure passwords.
Even bad passwords can be improved by simply implementing two-factor authentication. We all would like to see better practices when it comes to creating secure passwords. The reality is we need a technology transformation. Any clever tricks we have to create memorable passwords are not cleaver and are comprised as part of the billions of previously compromised passwords. Start with a password manager and two-factor authentication whenever available.
Adam Laub, CMO,  STEALTHbits Technologies
October 09, 2019
Businesses should consider validating passwords against breach dictionaries to prevent users from putting their accounts at risk.
Credential stuffing and other password guessing attacks have been so popular because they’re easy to execute and likely to work. Until users choose to or are forced to leverage unique username and password combinations across the different sites and services they leverage – or passwords are eradicated completely – these attacks will continue to be a headache. Users should consider leveraging password managers on their computers and mobile devices to eliminate the need to remember their passwords in the first place. Businesses should consider validating passwords against breach dictionaries to prevent users from putting their accounts at risk.
Satya Gupta, CTO,  Virsec
October 09, 2019
Compromising a credit reporting account can open up even more sensitive personal data that is quickly sold to other attackers.
Given the high likelihood that many users will reuse passwords across multiple services, techniques like credential stuffing can easily provide access to thousands of user accounts. Compromising a credit reporting account can open up even more sensitive personal data that is quickly sold to other attackers. At a minimum end-users should immediately implement strong passwords and multi-factor authentication. But restoring the privacy of data that has already leaked is almost impossible.
Laurence Pitt, Global Security Strategy Director,  Juniper Networks
October 09, 2019
It should only have been possible to access this sensitive data remotely using a corporate device.
Whatever the cause of the attack, however, organizations need to be more careful of protecting data in all states – whether at rest or on the move. It should only have been possible to access this sensitive data remotely using a corporate device, and through a VPN client, to ensure that authentication and the records accessed could be logged. In addition the use of a CASB (Cloud Access Security Broker) could have ensured not only a secure connection, but also detected any anomalous data access by the user as they downloaded the records – then shut down the connection and raise a security alert.
Javvad Malik, Security Awareness Advocate,  KnowBe4
October 09, 2019
From an enterprise perspective, it can be hard, but not impossible to detect credential stuffing attacks.
Credential stuffing attacks are popular and often successful because of how many people reuse the same password across multiple websites. Once a site is breached and the passwords obtained, attackers will try the userID and password combination against a whole host of services to try and gain access to other, often lucrative sites such as online banking. From a user perspective, they should try to not reuse passwords. A password manager can help in choosing strong passwords which users don't have to remember. Users can also use a number of free services such as haveibeenpwned.com which lets a user know if their account has been compromised in any breaches. From an enterprise perspective, it can be hard, but not impossible to detect credential stuffing attacks. One of the best defences against credential stuffing is the use of two-factor or multi-factor authentication (2FA, MFA). When deployed it can access to websites even if the attacker knows the correct ID and password.

If you are an expert on this topic:

Dot Your Expert Comments

SUBSCRIBE to alert when new comments are posted on this news. :



Join the Conversation

Join the Conversation


In this article