Credential Stuffing - A Case For Disclosure?

Credential Stuffing Attacks

A Case for Risk-Based Disclosure Under CPS 234

Recent credential stuffing attacks on prominent Australian retailers like The Iconic and Dan Murphy's have brought this cybersecurity threat into sharp focus. For APRA-regulated entities, these incidents underscore the critical importance of understanding and fulfilling disclosure obligations under Prudential Standard CPS 234 Information Security.

The Rising Tide of Credential Stuffing

Credential stuffing has become increasingly prevalent in Australia and globally. These attacks exploit the common user practice of password reuse across multiple sites. Cybercriminals use automated tools to test vast numbers of stolen username and password combinations against various websites, hoping to gain unauthorised access to user accounts.

The scale of this threat is staggering. According to recent studies, there are over 15 billion stolen credentials circulating on the internet. In 2020 alone, one large content delivery network reported more than 193 billion credential stuffing attacks globally. For Australian businesses, the risk is significant and growing.

The Compounding Threat of Residential Proxies

The use of residential proxies has dramatically increased the sophistication and effectiveness of credential stuffing attacks. Residential proxies allow attackers to route their traffic through legitimate residential IP addresses, making their activities appear as normal user behaviour.

This technique poses several challenges:

1. Bypassing Traditional Defences: Standard IP-based rate limiting and geo-blocking become ineffective when attacks come from diverse, legitimate-looking IP addresses.

2. Evading Detection: Traffic from residential proxies is harder to distinguish from genuine user activity, complicating detection efforts.

3. Scalability: Attackers can distribute their attempts across a vast network of proxies, allowing for larger-scale attacks without triggering typical alarm thresholds.

4. Improved Success Rates: By appearing to come from the same geographic area as legitimate users, these attacks are more likely to bypass location-based security measures.

The Crabby Phenomenon

The emergence of sites like Crabby Cash represents a disturbing trend in the cybercrime ecosystem. These platforms serve as marketplaces for compromised accounts, making it easier for criminals to monetise the results of successful credential stuffing attacks.

Key points about Crabby Cash and similar sites:

1. Ease of Access: These sites lower the barrier to entry for cybercriminals, providing ready access to compromised accounts.

2. Rapid Exploitation: Once credentials are verified and listed on these sites, the window for detection and mitigation narrows significantly.

3. Diverse Targets: The range of compromised accounts often spans multiple industries, including retail, financial services, and entertainment.

4. Ongoing Threat: The existence of these marketplaces incentivises continuous credential stuffing attempts, creating a persistent threat landscape.

The CPS 234 Disclosure Imperative

The prevalence of credential stuffing attacks, exacerbated by residential proxies and platforms like Crabby Cash, underscores the critical importance of the disclosure requirements in CPS 234.

Paragraph 35 of CPS 234 states:

An APRA-regulated entity must notify APRA as soon as possible and, in any case, no later than 72 hours, after becoming aware of an information security incident that:

(a) materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers; or

(b) has been notified to other regulators, either in Australia or other jurisdictions.

The existence of sites like Crabby Cash amplifies the potential impact of credential stuffing attacks, making them more likely to meet the materiality threshold for disclosure.

A Risk-Based Approach to Disclosure

To effectively manage the threat of credential stuffing and meet CPS 234 obligations, organisations should adopt a risk-based approach to detection, mitigation, and disclosure. This involves:

1. Working with Specialised Providers: Engage with cybersecurity providers who can offer insights into your organisation's exposure and risk levels based on:

   • Network fingerprinting
   • Levels of breached credential login attempts
   • Prevalence of residential proxy traffic as a high-correlating signal of attack

2. Continuous Risk Assessment: Regularly evaluate the risk posed by credential stuffing attacks, considering factors such as:

   • The volume and sophistication of attempts
   • The success rate of attacks
   • The potential impact on customers and the organisation

3. Inadequate Defences as a Risk Signal: Recognise that the absence of robust defences against credential stuffing is itself a risk signal. Organisations without advanced bot detection, multi-factor authentication, and behavioural analysis capabilities may be at higher risk and should consider this in their disclosure decisions.

4. Adaptive Disclosure Thresholds: Develop flexible, risk-based thresholds for APRA notification that take into account:

   • The current threat landscape
   • The organisation's defensive capabilities
   • The potential impact of a successful attack

Assessing Materiality in Light of These Threats

When assessing whether a credential stuffing incident meets the materiality threshold for APRA notification, entities should consider:

1. Scale of the Attack: The number of accounts targeted or compromised.

2. Success Rate: Whether any accounts were actually breached.

3. Exposure on Dark Web Markets: If compromised credentials appear on sites like Crabby Cash.

4. Potential Financial Impact: Both immediate losses and potential future exploitation.

5. Non-Financial Impacts: Including reputational damage and loss of customer trust.

6. Broader Systemic Risk: Whether the attack could impact the wider financial system.

7. Defensive Posture: The adequacy of existing controls and the organisation's ability to detect and mitigate attacks.

Proactive Measures and Controls

To mitigate the risks of credential stuffing attacks, particularly those leveraging residential proxies, APRA-regulated entities should implement robust controls as outlined in CPS 234 and CPG 234:

1. Contextual Security Approach: Implement a contextual security strategy that considers multiple factors to assess the risk of each login attempt, including device characteristics, user behavior patterns, and network attributes.

2. Advanced Bot Detection: Deploy sophisticated bot management systems capable of identifying automated attempts, even when they come from diverse IP addresses.

3. Residential Proxy Detection: Utilise specialized residential proxy detection tools to identify and mitigate threats from this increasingly common attack vector.

4. Multi-Factor Authentication: As suggested in CPG 234, implement MFA for high-risk activities to provide an additional layer of security beyond passwords.

5. Behavioural Analysis: Use advanced analytics to detect anomalous login patterns that may indicate credential stuffing attempts.

6. Continuous Monitoring: Implement real-time monitoring systems to quickly identify and respond to potential attacks.

7. Password Policies: Encourage or enforce the use of unique, strong passwords to mitigate the impact of credential stuffing.

8. Customer Education: Proactively inform customers about the risks of password reuse and the importance of strong, unique passwords.

9. Collaboration and Information Sharing: Engage with industry peers and law enforcement to share threat intelligence and best practices.

10. Adaptive Authentication: Implement risk-based authentication that adjusts security requirements based on the perceived threat level of each login attempt.

By adopting these measures, particularly a contextual security approach incorporating residential proxy detection, organizations can significantly enhance their resilience against credential stuffing attacks and better protect their customers' accounts..

Conclusion

The evolving threat landscape, characterised by sophisticated credential stuffing attacks, the use of residential proxies, and the emergence of platforms like Crabby Cash, necessitates a proactive and risk-based approach to information security and regulatory compliance.

APRA-regulated entities must view credential stuffing attacks not just as technical challenges, but as significant risks that demand Board-level attention and potentially require regulatory disclosure under CPS 234. By implementing robust preventative measures, maintaining effective incident response capabilities, and ensuring clear processes for assessing and reporting incidents, organisations can better protect themselves and their customers from this growing threat.

In this complex and rapidly changing environment, compliance with CPS 234 is not just about meeting regulatory requirements – it's about fostering a culture of robust information security that safeguards the interests of the organisation, its customers, and the broader financial system. The stakes are too high, and the threats too sophisticated, for anything less than full commitment to this critical imperative.