Gandalf_The_Grey
Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 6,593
U.K. supermarket giant Tesco is warning on a credential-stuffing attack that potentially affects 600,000 members of its Clubcard loyalty program.
It said that it detected cybercriminals trying out different name and password combos, gleaned from a database of stolen usernames and passwords for other services, on Clubcard accounts. The efforts were partially successful, it said, so out of an abundance of caution, it is replacing cards and requiring shoppers to set up new credentials.
“We are aware of some fraudulent activity around the redemption of a small proportion of our customers’ Clubcard vouchers,” a Tesco spokesperson told the BBC. “Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts.”
No financial data was exposed, Tesco added, and people’s loyalty points will remain unaffected. It notified those it thought could be affected:
There’s a growing underground market for loyalty program data. Hackers can sell the account’s credentials, or offer direct access to the accounts to people that go on to use the stored value, coupons, points and so on contained in them for themselves. Other rewards-point abuse often revolves around the ability to set up scams offering “discounted goods” that were actually purchased using stolen points.
Credential stuffing meanwhile is a go-to account takeover technique. It’s an automated, bot-driven process that takes advantage of the fact that users often reuse the same passwords across multiple online accounts. Credential-stuffing has been on the rise thanks to several large-scale credential dumps online, and several high-profile companies have fallen victim to it, including Dunkin Donuts, FC Barcelona and State Farm.
“Using leaked or stolen access credentials from data breaches, the bots will then hammer the sites with multiple login attempts until one of the combinations pans out,” security firm ESET noted in a recent posting.
Conclusion:
One common recommendation is to implement multi- or two-factor authentication (MFA/2FA). “Facebook, Instagram and Twitter all offer several 2FA methods,” ESET noted. “The second authentication factor offers a valuable additional layer of protection in exchange for very little effort.”
threatpost.com
It said that it detected cybercriminals trying out different name and password combos, gleaned from a database of stolen usernames and passwords for other services, on Clubcard accounts. The efforts were partially successful, it said, so out of an abundance of caution, it is replacing cards and requiring shoppers to set up new credentials.
“We are aware of some fraudulent activity around the redemption of a small proportion of our customers’ Clubcard vouchers,” a Tesco spokesperson told the BBC. “Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts.”
No financial data was exposed, Tesco added, and people’s loyalty points will remain unaffected. It notified those it thought could be affected:
There’s a growing underground market for loyalty program data. Hackers can sell the account’s credentials, or offer direct access to the accounts to people that go on to use the stored value, coupons, points and so on contained in them for themselves. Other rewards-point abuse often revolves around the ability to set up scams offering “discounted goods” that were actually purchased using stolen points.
Credential stuffing meanwhile is a go-to account takeover technique. It’s an automated, bot-driven process that takes advantage of the fact that users often reuse the same passwords across multiple online accounts. Credential-stuffing has been on the rise thanks to several large-scale credential dumps online, and several high-profile companies have fallen victim to it, including Dunkin Donuts, FC Barcelona and State Farm.
“Using leaked or stolen access credentials from data breaches, the bots will then hammer the sites with multiple login attempts until one of the combinations pans out,” security firm ESET noted in a recent posting.
Conclusion:
One common recommendation is to implement multi- or two-factor authentication (MFA/2FA). “Facebook, Instagram and Twitter all offer several 2FA methods,” ESET noted. “The second authentication factor offers a valuable additional layer of protection in exchange for very little effort.”
Loyalty Cards Targeted in Tesco Clubcard Attack
Around 600,000 of the supermarket's 12 million loyalty program members have been warned about a cyberattack.
threatpost.com
