Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security Technology

FBI Says Credential Stuffing Attacks Are Behind Some Recent Bank Hacks (zdnet.com) 30

Posted by msmash from the security-woes dept.
The FBI has sent a private security alert to the US financial sector last week warning organizations about the increasing number of credential stuffing attacks that have targeted their networks and have led to breaches and considerable financial losses. From a report: Credential stuffing is a relatively new term in the cyber-security industry. [...] According to an FBI security advisory obtained by ZDNet today, credential stuffing attacks have increased in recent years and have now become a major problem for financial organizations. "Since 2017, the FBI has received numerous reports on credential stuffing attacks against US financial institutions, collectively detailing nearly 50,000 account compromises," the FBI said. "The victims included banks, financial services providers, insurance companies, and investment firms."
This discussion has been archived. No new comments can be posted.

FBI Says Credential Stuffing Attacks Are Behind Some Recent Bank Hacks More

FBI Says Credential Stuffing Attacks Are Behind Some Recent Bank Hacks

Comments Filter:

  • What is "Credential Stuffing"? (Score:1)

    by Anonymous Coward

    > Credential stuffing is a relatively new term in the cyber-security industry. [...]

    Presuambly the [...] is the explanation of this new term, but to see it, I have to click through to the article. I won't fall your bullshit. I will just refresh comments until an explanation eventually shows up.

    • Re:What is "Credential Stuffing"? (Score:5, Informative)

      by rpresser ( 610529 ) <rpresser&gmail,com> on Tuesday September 15, 2020 @12:48PM (#60508110)

      https://en.wikipedia.org/wiki/... [wikipedia.org]

      Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.[1] Unlike credential cracking, credential stuffing attacks do not attempt to brute force or guess any passwords - the attacker simply automates the logins for a large number (thousands to millions) of previously discovered credential pairs ...

      TL;DR: take user/password pairs from one hacked site and try to use them on other sites, in bulk attacks.

      • So, back to the tried-and-true advice... if you don't reuse passwords - and you shouldn't - this would not let them compromise your individual account.

        • Yeah, that's the key point about credential stuffing - password re-use. Somebody gets the Slashdot user/pass database and tries those same user/pass pairs at various banks.

          Suppose that for whatever reason a person still refuses to use a different password for each site, with a password manager. They can mitigate this in two ways:

          One *could* decide to use the same password on several "low security" accounts such as Slashdot, Reddit, etc - sites where you don't have any real damage if someone gets your passwo

      • Re: (Score:2)

        by gweihir ( 88907 )

        TL;DR: take user/password pairs from one hacked site and try to use them on other sites, in bulk attacks.

        Indeed. The only thing new here is the "bulk" angle. The attack itself is as old as computers with accounts.

    • https://en.wikipedia.org/wiki/... [wikipedia.org] Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.[1] Unlike credential cracking, credential stuffing attacks do not attempt to brute force or guess any passwords - the attacker simply autom
  • Bank stuffs you!

  • If you didn't get the memo 10 years ago - do NOT re-use passwords. Every password that goes into a system that is not fully trusted must be unique. Use a password safe and generate new ransom passwords every single time.

    Fully trusted in this case means that you know, or at least are willing to gamble, that your password is not going to be intercepted and is never going to be stored in a reversible manner on that system. This category never ever ever ever includes any system that is not under your complet

    • And what do we do when your password safe is cracked? More importantly, the device you own that contains your password safe is compromised, such as your laptop getting hacked and encrypted for ransom? To be completely honest, you are either extremely inconvenienced or extremely vulnerable. We're putting security on the back of the user by building systems that are barely secure enough and routinely get hacked and infiltrated. And we are building security on top of cryptographic tools that were vulnerable 20
      • It's quite simple. At some point you have to have a level of trust as your solution of no online presence and cash in a mattress is just not possible. While not perfect use a commercial password vault like LastPass, use a long and complicated master password. Whenever possible enable multi-factor authentication.

      • And what do we do when your password safe is cracked?.

        Unless someone specifically targets you, I'd argue this is not a significant concern. Use a good long passphrase. If you're worried about forgetting it, it's arguably okay for most people to write it down on a piece of paper and stick that in a drawer or a safe. ... But don't write "pass phrase for my password wallet" on the paper.

        More importantly, the device you own that contains your password safe is compromised, such as your laptop getting hacked and encrypted for ransom?

        Probably not a concern for anyone other than a Slashdotter. Most people will be using a commercial service - Bitwarden, Lastpass, 1Password - which is not going to be affected if

      • Re: (Score:1)

        by lcall ( 143264 )

        I have thought similarly, so many things become a cost/benefit tradeoff based on life view and perceived risks, and as part of that I decided to very thoughtfully learn about and use OpenBSD (with default umask set to 0077, some X usage cautions) etc.

        But ultimately, I agree with someone else here that there are limits and we have to decide at what point to trust: but trust who/what? (fwiw, I write more about peace amid the commotion at http://lukecall.net/e-92233720... [lukecall.net] in a way I hope skimmable, non-JS, and

    • Re: (Score:2)

      by gweihir ( 88907 )

      While I agree on the defense, you cannot expect average people to know anything bout OpSec.

      • For this audience, unique passwords should be seen as the bare minimum. I expect at least 90% of slashdot readers to be able to implement a password safe and wildcard email aliases.

        I expect about 75% of my users to be capable of implementing unique passwords through a password safe, and about 10% of them to actually take steps in that direction. For the rest of them, I expire old passwords.

        • Re: (Score:2)

          by gweihir ( 88907 )

          For this audience, unique passwords should be seen as the bare minimum. I expect at least 90% of slashdot readers to be able to implement a password safe and wildcard email aliases.

          I expect about 75% of my users to be capable of implementing unique passwords through a password safe, and about 10% of them to actually take steps in that direction. For the rest of them, I expire old passwords.

          Well, I think you vastly overestimate the quality of the crowd here. At least in its present state. But you have been around even longer than I have and you have seen the times when your statement was completely accurate.

    • Re: (Score:2)

      by rtb61 ( 674572 )

      The only workable solution is facial recognition, kinda sucks huh. Please hold you camera phone up to your face, point the screen at your face, so you can make sure you are aiming it properly, now move the screen around a little to make 3D scanning easier and say your name and address to the camera so we can see you talking and record the video to validate the transaction. They provide the app that uses a built in encryption to send the data and receive back the response and confirm the transaction, locally

  • User IDs and passwords leaked from website A are used to access website B. This is news?

  • Google has zero problems with this: https://krebsonsecurity.com/20... [krebsonsecurity.com]

    Google and Facebook are more secure than my financial institutions. Go figure.

    • Re: (Score:2)

      by raind ( 174356 )
      Google converted to the Zero Trust model. Where no user or device is trusted until verified and even then least permissions are given.

    • Re: (Score:2)

      by bws111 ( 1216812 )

      What are you babbling about? This has nothing to do with employees being phished. This is about using a database of hacked ids/passwords and trying those ids/passwords on different sites.

    • Google and Facebook are more secure than my financial institutions. Go figure.

      My financial institution allows for two-factor authentication, with two-step authentication via SMS as the default. Yes, that's not perfect if you're individually targeted - but even two-step authentication makes targeting individuals expensive.

    • The federal government should pass a regulation mandating all federally-regulated banking institutions to implement FIDO2/U2F and OTP on all consumer-facing websites. Banks don't want to do it because lost tokens will increase service calls but the problem is getting ridiculous. Our credit cards should all be chip + PIN and not signature.

  • My credit card website account has been locked 3 times in the past 3 weeks because somebody keeps trying to hack in. It's not even my email address just a combination of my name (not used elsewhere by me, personally) which must be just common enough that someone is trying to force their way in.

    They did this enough with my actual bank 2 years ago (with a nearly 10 year old account) that I ended up changing my username to some purely random string like a password just to get it to stop.

    And yet another reason

  • The FBI is so informative, telling banks that people will take passwords they buy on the net and attempt to use them. Holy Batman, Robin! Who thought that hackers who purchase databases will try and use the data... let alone on financial sites or bitcoin locker. THANK YOU THANK YOU THANK YOU FBI for alerting us all to something that is ... just now... um... beginning? OH, going on for decades? Gotcha.

    Article that is a bit loose on facts but does have good links on how to check if YOUR data are out on t

    • All that happened is the FBI was cut out of the deal so now they're throwing their accomplices under the bus.

Slashdot Top Deals

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Close