Daniel D'Alessandro
6 min read

Recent credential stuffing attacks on prominent Australian retailers like The Iconic and Dan Murphy's have brought this threat into sharper focus. For APRA-regulated entities, these incidents are a reminder that credential stuffing is not only an account takeover issue. It can also trigger assessment and disclosure obligations under Prudential Standard CPS 234 Information Security.

The Rising Tide of Credential Stuffing

Credential stuffing is now common in Australia and globally. These attacks exploit password reuse across multiple sites. Cybercriminals use automated tools to test large volumes of stolen username and password combinations against websites, looking for accounts they can access without authorisation.

The scale is large. According to recent studies, there are over 15 billion stolen credentials circulating on the internet. In 2020 alone, one large content delivery network reported more than 193 billion credential stuffing attacks globally. For Australian businesses, the risk is significant and growing.

The Compounding Threat of Residential Proxies

The use of residential proxies has increased the sophistication and effectiveness of credential stuffing attacks. Residential proxies allow attackers to route their traffic through legitimate residential IP addresses, making automated activity look more like normal user behaviour.

This technique poses several challenges:

  1. Bypassing Traditional Defences: Standard IP-based rate limiting and geo-blocking become ineffective when attacks come from diverse, legitimate-looking IP addresses.

  2. Evading Detection: Traffic from residential proxies is harder to distinguish from genuine user activity, complicating detection efforts.

  3. Scalability: Attackers can distribute their attempts across a large network of proxies, allowing for larger-scale attacks without triggering typical alarm thresholds.

  4. Improved Success Rates: By appearing to come from the same geographic area as legitimate users, these attacks are more likely to bypass location-based security measures.

The Crabby Phenomenon

The emergence of sites like Crabby Cash shows how credential stuffing fits into a broader cybercrime market. These platforms serve as marketplaces for compromised accounts, making it easier for criminals to monetise successful credential stuffing attacks.

Key points about Crabby Cash and similar sites:

  1. Ease of Access: These sites lower the barrier to entry for cybercriminals, providing ready access to compromised accounts.

  2. Rapid Exploitation: Once credentials are verified and listed on these sites, the window for detection and mitigation narrows significantly.

  3. Diverse Targets: The range of compromised accounts often spans multiple industries, including retail, financial services, and entertainment.

  4. Ongoing Threat: The existence of these marketplaces incentivises continuous credential stuffing attempts, creating a persistent threat landscape.

The CPS 234 Disclosure Imperative

The prevalence of credential stuffing attacks, compounded by residential proxies and platforms like Crabby Cash, makes the disclosure requirements in CPS 234 directly relevant.

Paragraph 35 of CPS 234 states:

An APRA-regulated entity must notify APRA as soon as possible and, in any case, no later than 72 hours, after becoming aware of an information security incident that:

(a) materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers; or

(b) has been notified to other regulators, either in Australia or other jurisdictions.

The existence of sites like Crabby Cash can increase the potential impact of credential stuffing attacks, making them more likely to meet the materiality threshold for disclosure.

A Risk-Based Approach to Disclosure

To manage credential stuffing risk and meet CPS 234 obligations, organisations should take a risk-based approach to detection, mitigation, and disclosure. This involves:

  1. Working with Specialised Providers: Engage with cybersecurity providers who can offer insights into your organisation's exposure and risk levels based on:

    • Network fingerprinting
    • Levels of breached credential login attempts
    • Prevalence of residential proxy traffic as a high-correlating signal of attack

  2. Continuous Risk Assessment: Regularly evaluate the risk posed by credential stuffing attacks, considering factors such as:

    • The volume and sophistication of attempts
    • The success rate of attacks
    • The potential impact on customers and the organisation

  3. Inadequate Defences as a Risk Signal: Recognise that the absence of robust defences against credential stuffing is itself a risk signal. Organisations without advanced bot detection, multi-factor authentication, and behavioural analysis capabilities may face higher risk and should consider this in their disclosure decisions.

  4. Adaptive Disclosure Thresholds: Develop flexible, risk-based thresholds for APRA notification that take into account:

    • The current threat landscape
    • The organisation's defensive capabilities
    • The potential impact of a successful attack

Assessing Materiality in Light of These Threats

When assessing whether a credential stuffing incident meets the materiality threshold for APRA notification, entities should consider:

  1. Scale of the Attack: The number of accounts targeted or compromised.

  2. Success Rate: Whether any accounts were actually breached.

  3. Exposure on Dark Web Markets: If compromised credentials appear on sites like Crabby Cash.

  4. Potential Financial Impact: Both immediate losses and potential future exploitation.

  5. Non-Financial Impacts: Including reputational damage and loss of customer trust.

  6. Broader Systemic Risk: Whether the attack could impact the wider financial system.

  7. Defensive Posture: The adequacy of existing controls and the organisation's ability to detect and mitigate attacks.

Proactive Measures and Controls

To mitigate the risks of credential stuffing attacks, particularly those leveraging residential proxies, APRA-regulated entities should implement robust controls as outlined in CPS 234 and CPG 234:

  1. Contextual Security Approach: Implement a contextual security strategy that considers multiple factors to assess the risk of each login attempt, including device characteristics, user behaviour patterns, and network attributes.

  2. Advanced Bot Detection: Deploy bot management systems capable of identifying automated attempts, even when they come from diverse IP addresses.

  3. Residential Proxy Detection: Utilise specialised residential proxy detection tools to identify and mitigate threats from this increasingly common attack vector.

  4. Multi-Factor Authentication: As suggested in CPG 234, implement MFA for high-risk activities to provide an additional layer of security beyond passwords.

  5. Behavioural Analysis: Use analytics to detect anomalous login patterns that may indicate credential stuffing attempts.

  6. Continuous Monitoring: Implement real-time monitoring systems to quickly identify and respond to potential attacks.

  7. Password Policies: Encourage or enforce the use of unique, strong passwords to mitigate the impact of credential stuffing.

  8. Customer Education: Proactively inform customers about the risks of password reuse and the importance of strong, unique passwords.

  9. Collaboration and Information Sharing: Engage with industry peers and law enforcement to share threat intelligence and effective practices.

  10. Adaptive Authentication: Implement risk-based authentication that adjusts security requirements based on the perceived threat level of each login attempt.

By adopting these measures, particularly a contextual security approach incorporating residential proxy detection, organisations can improve their resilience against credential stuffing attacks and better protect their customers' accounts.

Conclusion

Credential stuffing, residential proxies, and platforms like Crabby Cash make account takeover risk harder to assess and harder to contain. APRA-regulated entities need a proactive, risk-based approach to information security and regulatory compliance.

APRA-regulated entities should treat credential stuffing attacks as more than a technical control problem. They are business risks that may require Board-level attention and, depending on materiality, regulatory disclosure under CPS 234. By implementing preventative measures, maintaining effective incident response capabilities, and keeping clear processes for assessing and reporting incidents, organisations can better protect themselves and their customers from this growing threat.

In this environment, CPS 234 compliance is not only a reporting exercise. It depends on information security controls that protect the organisation, its customers, and the broader financial system before credential stuffing becomes a material incident.

#Account Protection #Credential Stuffing #Fraud Prevention #Application Security #DevSecOps #PCI DSS