The New York AG recently issued information about steps companies can take to protect against credential stuffing attacks, and how to handle them if they occur. The guidance makes up a majority of a larger AG report on credential stuffing.

“Credential stuffing” attackers flood a website with automated login attempts using previously-stolen credentials. These attacks are on the rise, and the amount of activity involved in them can be staggering. One restaurant chain contacted by the AG was the victim of at least 271 million login attempts over a 17-month period. Another suffered at least 40 million in just two months.

Expressing concern over the increase in these attacks, the NYAG lays out four categories of suggestions. They are “lessons learned” from a broader investigation by the Office to identify safeguards that might be effective in protecting against credential stuffing. These steps are useful for companies to review and serve as a signal of what the NYAG might expect of companies who have suffered an incident. While not all of these steps, the NYAG recognizes, would be appropriate in all circumstances evaluating which would work best can be helpful. They are:

• Defense: The NYAG recommends appropriate detection software, as well as CAPTCHA systems to validate logins (recognizing that these are not perfect). Other steps include multifactor authentication, firewalls, and password-less authentication (using an authenticator app or one time code in lieu of a password).

• Detection: Monitoring for potential attacks should, it indicated, include automated measures with human oversight. Other detection safeguards are analyzing customer fraud reports and notifying customers of unusual or significant account activity. It also recommends that companies use third-party tools to monitor possible compromises.

• Preventing Fraud and Customer Data Misuse: In situations where online payment is involved, the NYAG recommends using re-authentication at the time of purchase. Special care should also be taken when gift cards are accepted, like limiting access to the cards’ serial numbers. In payment situations, third-party monitoring tools can be an added defense. Another suggested strategy is anticipating and mitigating attempts at social engineering. And, testing the effectiveness of these strategies through simulations or tabletop exercises.

• Incident Response: In the hopefully unlikely event that a credential stuffing attack is successful, and threat actors gain access to accounts, the NYAG indicates that it expects companies will have incident response plans that address “processes for responding to credential stuffing attacks.” In its guidance, the NYAG indicates some steps it thinks companies should be taking during the process that are unique to credential stuffing. This includes figuring out if customer accounts were accessed or reasonably likely to have been accessed, swiftly blocking such access (if it has occurred), and giving customers clear notice that inter alia tells them which accounts were accessed and when. When appropriate, the report suggests notification may be appropriate before an investigation is over.

Putting it Into Practice: The NYAG’s advice signals its expectations of companies in terms of steps they should take to protect against a credential stuffing attack. We expect more targeted guidance like this as threat actors continue to refine their techniques around specific types of attacks.