“Credential Stuffing” the CRA- What is that?

Introduction

By now, a considerable number of Canadians are aware of the recent breach that occurred at the CRA. The cybercriminals were able to acquire user credentials to gain access to their accounts to apply for such things as the Canada Emergency Response Benefit (CERB) for COVID-19.

What Happened

The CRA determined that the use of a “credential stuffing” was behind this attack. These criminals have already compromised an account and possibly more.

“One victim told the Canadian Press that someone who had hacked into her account applied for CERB in her name and received funds by using her information”. This by itself is a self-inflicted issue caused by people not using unique passwords for all of their online applications. But the CRA also shares some accountability in that they are not using Multi-Factor Attention (MFA) of these logins. The CRA statement that getting adoption by the general public is difficult because not everyone can transition to this way of accessing their account, the banks don’t seem to have an issue as one example.

What’s Happening Now

What is ‘Credential Stuffing” - One explanation for “credential stuffing” is where cybercriminals purchase on the dark web credentials that have been stolen from previous breaches. Using bots, they then proceed to try those credentials across thousands of online platforms that include all of the popular social media sites, banks and other financial institutions (to name a few). The reason why this works is that people have too many accounts (sometimes hundreds) to be able to remember unique passwords each and often reuse these credentials across all of their online accounts.

We see this time and again with our Managed Security Service (MSS). We introduced ‘Dark Web” monitoring to track when stolen credentials become available that match the domains of organizations we secure. We then alert them that there could be an attempt to compromise their organization. These accounts are not typically used for business purposes, rather they are used as personal email, often using the same credentials. This is where “credential stuffing” now plays a part in a possible compromise.

What This Means for You

By continuing to reuse the same credentials across all of the platforms that you use day-to-day puts you at risk of “impersonation attacks” that at the very least could be used to destroy reputations through the use of social media, or be used to steal banking information with sometimes catastrophic loss of personal finances.

What You Should Do Now

For personal use, it is recommended using a secure “Password Manager”. These solutions allow individuals to store credentials in a single repository and also allow you to create very strong password combinations for each of your platforms. They also use MFA to make sure that only you have access to this. Even though we can argue that a compromise of a solution like this could be possible, make sure you choose solutions from s reputable organization. These solutions are already in use at many organizations today.

Closing

Organizations need to address this issue with updated policies stating that users should not under any circumstances reuse corporate credentials for personal use. This should then be enforced with proper user awareness training.

For individuals, the use of a password manager will greatly increase your online security and make accessing these accounts way easier, as there are also cell phone apps to make this a convenient and secure way to access your accounts.

Popular Posts