May 26, 2022

Volume XII, Number 146

Advertisement
Advertisement

May 25, 2022

Subscribe to Latest Legal News and Analysis

May 24, 2022

Subscribe to Latest Legal News and Analysis

May 23, 2022

Subscribe to Latest Legal News and Analysis

NYAG Issues Credential Stuffing Guidance

The New York AG recently issued information about steps companies can take to protect against credential stuffing attacks, and how to handle them if they occur. The guidance makes up a majority of a larger AG report on credential stuffing.

“Credential stuffing” attackers flood a website with automated login attempts using previously-stolen credentials. These attacks are on the rise, and the amount of activity involved in them can be staggering. One restaurant chain contacted by the AG was the victim of at least 271 million login attempts over a 17-month period. Another suffered at least 40 million in just two months.

Expressing concern over the increase in these attacks, the NYAG lays out four categories of suggestions. They are “lessons learned” from a broader investigation by the Office to identify safeguards that might be effective in protecting against credential stuffing. These steps are useful for companies to review and serve as a signal of what the NYAG might expect of companies who have suffered an incident. While not all of these steps, the NYAG recognizes, would be appropriate in all circumstances evaluating which would work best can be helpful. They are:

  • Defense: The NYAG recommends appropriate detection software, as well as CAPTCHA systems to validate logins (recognizing that these are not perfect). Other steps include multifactor authentication, firewalls, and password-less authentication (using an authenticator app or one time code in lieu of a password).

  • Detection: Monitoring for potential attacks should, it indicated, include automated measures with human oversight. Other detection safeguards are analyzing customer fraud reports and notifying customers of unusual or significant account activity. It also recommends that companies use third-party tools to monitor possible compromises.

  • Preventing Fraud and Customer Data Misuse: In situations where online payment is involved, the NYAG recommends using re-authentication at the time of purchase. Special care should also be taken when gift cards are accepted, like limiting access to the cards’ serial numbers. In payment situations, third-party monitoring tools can be an added defense. Another suggested strategy is anticipating and mitigating attempts at social engineering. And, testing the effectiveness of these strategies through simulations or tabletop exercises.

  • Incident Response: In the hopefully unlikely event that a credential stuffing attack is successful, and threat actors gain access to accounts, the NYAG indicates that it expects companies will have incident response plans that address “processes for responding to credential stuffing attacks.” In its guidance, the NYAG indicates some steps it thinks companies should be taking during the process that are unique to credential stuffing. This includes figuring out if customer accounts were accessed or reasonably likely to have been accessed, swiftly blocking such access (if it has occurred), and giving customers clear notice that inter alia tells them which accounts were accessed and when. When appropriate, the report suggests notification may be appropriate before an investigation is over.

Putting it Into Practice: The NYAG’s advice signals its expectations of companies in terms of steps they should take to protect against a credential stuffing attack. We expect more targeted guidance like this as threat actors continue to refine their techniques around specific types of attacks.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 26
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Kari Rollins Intellectual Property Lawyer Sheppard
Partner

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....

212.634.3077
Associate

Charles Glover is an associate in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Charles' practice focuses on breach response, data privacy law, and intellectual property disputes. His representations cover a variety of clients, including national banks, domestic airlines, and entertainment companies.

Charles’ solutions-oriented focus and diverse experience allow him to develop and implement dynamic strategies tailored to meet his clients’ needs. He has helped clients of all sizes and stages...

212.896.0679
Advertisement
Advertisement
Advertisement