Credential Stuffing – HSBC Case Study

SDO Marketing Staff | November 26, 2018

Earlier this month, HSBC Bank, one of the seven largest financial organizations in the world, issued a warning to its customers that their personal information may have been compromised in a recent data breach.

HSBC officials say the breach appeared to run from the 4th through the 14th of October.

After spotting the breach, the bank announced that it had “suspended online access to prevent further unauthorized entry” to affected accounts.

According to the bank’s official breach notification, information accessed by hackers may include personal details such as names, mailing addresses, phone numbers, email addresses, as well as account data like account numbers, balances, and transaction histories.

How They Pulled It Off

Not surprisingly, initial post-mortems seemed to have identified the point of failure in HSBC’s data security as the ‘usual suspect’ – credentials.

Expert analysis of the incident concluded that the breach has all of the hallmarks of a “credential stuffing attack. Such attacks involve criminals taking usernames, passwords, or other personal data that has been stolen or leaked and using bot armies to conduct mass attempts of logins on various sites. According to industry research, 80 percent of all login attempts in online retail over 2017 were conducted credential during stuffing campaigns.

How a Credential Stuffing Attack Works

To execute a stuffing attack, a cybercriminal requires a large quantity of spilled usernames and passwords from a website breach or password dumpsite.

“Passwords are like toothbrushes. They are best when new and should never be shared.”@nullcon

The attacker uses a program called an account checker to test the stolen credentials against many websites, usually high-value sites such as social media platforms or online marketplaces.

Statistically, 0.1 to 0.2 percent of total logins in a well-run stuffing campaign is successful. That may sound like a minuscule amount, but when running hundreds of thousands of credential sets against dozens or even hundreds of sites, those successes add up. After getting a hit, the attacker drains the breached account of stored value, credit card numbers, or other high-value information.

Being such an eminent financial institution, it would not be surprising if HSBC was included in a credential stuffing campaign.

The Latest Victim of Outdated Authentication

The recent HSBC breach may be one of the biggest financial hacks in recent memory.

According to reports, as many as 14,000 customers may have been affected.

The incident should be a wake-up call to IT managers in any organization that their company’s authentication solutions are both outdated and vulnerable.

On the Octopus Blog, we’ve written quite a bit about the danger of reusing credentials. The sad fact is, this remains a widespread phenomenon among users. Even many IT managers ignore their own advice and practice credential reuse. A recent Australian governmental audit of cyber practices demonstrated that widespread negligence of reusing passwords can extend even to governmental agencies.

“The whole notion of passwords is based on an oxymoron. The idea is to have a random string that is easy to remember. Unfortunately, if it’s easy to remember, it’s something nonrandom like ‘Susan.’ And if it’s random, like ‘r7U2*Qnp,’ then it’s not easy to remember.” — Bruce Schneier

The interesting aspect of the HSBC breach is the light it shines on just how vulnerable passwords are.  Even when an organization implements a strong password policy is implemented–regularly replacing passwords, strengthening them with unique characters, etc.– the human factor will always remain a vulnerability.

There is a myriad of ways cybercriminals could have obtained the HSBC account credentials to use in a stuffing campaign. Most likely, hackers obtained password and username combinations from Dark Web sources. These illicit sites collect databases of stolen or leaked credentials and then sell them to whoever can by pay for them.

Needless to say, password strength will not protect against an attack like credential stuffing as the attack uses the actual legitimate password to an account.

“Credential stuffing has long been a way in which criminals access user accounts. Enterprises don’t need more complex passwords. Instead they need to drop the use of passwords entirely. Enterprises should shift to using cryptographic keys stored on user devices for authentication.” Randy Battat
Founder, President And CEO at Preveil

The industry has come up with several tactics to protect against the credential stuffing threat.

One common solution often discussed is limiting access to accounts to specific devices and digital addresses through IP Blacklisting and Device Fingerprinting. In theory, this would prevent attackers from using even a correct password from an unauthorized location. But as experts have repeatedly pointed out, the technologies being used today in stuffing campaigns are able to circumvent these measures by hiding their IP addresses or even mimicking characteristics of trusted devices.

Some have put forward temporary, or one time passwords (OTPs) as the ideal solution. This will make the reuse of a password by an attacker impossible. The problem with OTPs is that they create a considerable burden in terms of usability–requiring for instance users to carry around password tokens. Even solutions that don’t require an additional device, such as ‘soft’ token apps or SMS verification are susceptible to Man in the Middle (MITM) and other non-conventional attacks.

Ditching Passwords, Shoring Up the Threat

Secret Double Octopus technology circumvents all the authentication challenges facing enterprises today by shifting away from the password paradigm.

The Octopus Authenticator, using its mathematically unbreakable Secret Sharing scheme, sends user-friendly push notifications to execute authentication. All users are required to do is respond to these messages, delivered directly to their mobile devices.

The Secret Double Octopus platform removes passwords completely from the authentication process, and with them the burden they place on users. No more storing and remembering credentials, no more carrying around additional devices for verification. Similarly, IT managers are relieved from the responsibility of managing passwords, including the expense in money and manpower that comes with helpdesk calls and password resets.

Octopus Authenticator offers the very highest in authentication assurance while delivering the most seamless and user-friendly authentication platform on the market.