Isn’t it great to be able to have all the information you could possibly need for any car journey at your fingertips? And even better to get rewards for using the car? But sadly, nothing ever comes for free as customers of General Motors discovered recently.
Once again mainstream media headlines have been consumed with news of an attack on General Motors. Except that it wasn’t really on General Motors, but it kind of was.
During April, GM noticed fraudulent logins and reward point redemptions on customer accounts. On further investigation the company also discovered that certain sensitive information was exposed to the attackers, including usernames and contact information, location data, wi-fi hotspots (and passwords) and connected friends and family.
The attack technique was an oldie but a goodie – Credential stuffing. Attackers were able to try credentials obtained from an unrelated data breach to see which usernames and passwords matched legitimate GM customers and log into their accounts. Credential stuffing is effective as many ‘users’ recycle usernames and passwords across multiple accounts.
While GM have contained the attack, notified all customers, and said that the cause of the attack was ‘customers’ own poor cybersecurity practices’, this does not let vendors off the hook. Once attackers have access to accounts, they can combine that foothold with more sophisticated attack techniques to launch larger scale attack campaigns.
Vendors should always take steps to protect customer accounts, that go far beyond the protections GM appears to have in place (their advice to customers was to change their account passwords, which will only offer partial protection).
Instead, help customers protect their own accounts with the following best practices:
Encourage unique passwords – remind customers of the impact of recycling credentials.
Reduce reliance on passwords – implement MFA on accounts, especially for logins on a new device. MFA reduces vulnerability to credential stuffing as it adds a final first step.
Prevent users logging into accounts on more than one device or browser at a time. Initiating automatic logout on the open account, or a warning that this will log them out of an already open account will alert customers to a problem on their account.
Fight back against credential stuffing brute force attacks by placing limits on log-in attempts.
After all, isn’t it better to keep attackers from ever getting any kind of foothold into systems?