Incident Of The Week: State Farm Insurance Discloses Recent Credential Stuffing Attack
Warning To Enterprise Security Teams: Brute Force Attacks Increasing
Insurance provider State Farm has notified policyholders that it recently observed login attempts to user accounts that were symptomatic of credential stuffing cyber attacks. The company reset the passwords of affected accounts and has sent notifications alerting customers of the situation.
According to reports, the attack was discovered by State Farm in July 2019 and no personally identifiable information (PII) was exposed. The insurance company serves more than 83 million U.S. customers, though the number of policyholders impacted by the attack has not been disclosed.
These types of brute force attacks are growing in frequency along with the demand for industry transparency, reporting, and disclosure of cyber crime and mismanaged data. The ability to disseminate news in near real-time on a global scale is also a reality.
What Is A Credential Stuffing Attack?
MIT’s CTSS is credited as the first system to utilize a password in the 1960s. Human behavior suggests that the same password will be used for multiple, unrelated online accounts. Whether due to creating memorable passwords, lacking an understanding of potential cyber risks, or the reality that people have online accounts with tens to hundreds of entities, frequent maintenance of all passwords used for the past decade is not a strong human trait.
Credential stuffing attacks utilize stolen login credentials from one online account that are “stuffed” into other online sites in hopes that the password is reused. An attacker that successfully gains access through this means seeks more user information, such as purchasing authorization, personal ID numbers, and corporate data that can be exploited or sold.
Attackers further understand that we all leave a digital history. Employees that change insurance providers or switch retailer affinity marketing accounts often forget that former accounts still remain active. Cyber attackers use rather unsophisticated, automated attacks to exploit these old logins. A successful credential stuffing exercise results in an account take over (ATO).
The Potential Enterprise Security Impact
Attackers amass databases of compromised user logins, which are aggregated with other databases and shared or sold amongst bad actors. Despite education and security awareness training, many employees will use the same passwords in both personal and professional situations.
An employee that also has an online account with State Farm, Dunkin’ Donuts, or other entities that have fallen prey to credential stuffing is at increased risk of creating vulnerability for enterprise network authentication.
Over the past decade, hundreds of millions of online accounts have been compromised. Earlier this year, combolists of usernames and passwords were posted online for hundreds of millions of email addresses. Analysis of only one combolist collection found an average of one password for every 30 unique email addresses, suggesting that password recycling is common.
Enterprise Countermeasures For Credential Stuffing Attacks
The enterprise security team can no longer view insider threats and phishing attacks as the exclusive attack vectors for credential compromise. Increasingly, attackers are focusing their efforts on sites that deliver services to the individual in hopes that common credentials exist. How does an organization protect itself when it may not have been breached?
Our experts highlight multiple areas where security teams can hone their approach in anticipation of more credential stuffing attacks.
- Augment security awareness training to explain “why” unique credentials are so important. Utilize credential stuffing attacks as proof points to demonstrate cyber hygiene objectives.
- Require multiple forms of authentication that take location, the physical device/system asset, and the user identity into consideration. Re-authenticate users based on elapsed time and/or a change in these authentication parameters.
- Review the need to provide email and external site access for every employee.
- Restrict or eliminate access to applications, services, and sensitive data that do not pass these tests.
While the financial impact to State Farm is expected to be minimal since no loss of records occurred, the long-tail effects may not be seen for many months or years as the brand works to maintain the trust of its customers.
See Related: Top 5 Cyber Security Breaches of 2019 So Far