The latest news that First Horizon Bank was the victim of a credential stuffing attack proves just how valuable credential harvesting can be. Over $1 million was stolen from just under 200 accounts at the Memphis, TN based financial services company.
Credential harvesting starts with a compromised source of JavaScript to skim forms, fields, inputs, or text areas for vital information. These types of attacks are carried out by different groups under the Magecart banner. The goal of these attacks is to build a database of usernames, passwords, security question answers, and other pieces of information related to account credentials. The primary source of this eSkimming behavior is JavaScript; due to it’s unmonitored and unsecured access to a website. JavaScript skimmers date back to at least 2014 and are an ever present threat to websites which contain PII, PHI, financial, or payment information.
State of Denial
Numerous states are enacting data privacy acts to provide guidance on how these data breaches are reported to consumers and law enforcement. Many, like the California CPA, Virginia CDPA, and Washington Privacy Act, go beyond breach notifications and step into requiring data controllers and processors to protect data at means of collection. Ultimately these pieces of legislation are in place to report on and deny access to data which may be used maliciously.
The most recent CCPA settlement against Hanna Andersson valued $400,000 in cash and required the hiring of a Director of Cybersecurity. As more states like Connecticut, Nevada, Maine, New York, Massachusetts, New Jersey, Maryland, Oregon, and Texas enact, legislate, or debate these types of data protections it becomes clear that consumer data needs to be protected.
Preventative Defense
by common marketing tools such as Facebook Connect
The Source Defense Security Platform prevents these credential harvesting attacks in real time. The included image illustrates our real-time prevention of skimming events on fields which may be used for harvesting attacks or which may cause data privacy violations. As a financial institution or any website which is collecting this type of data it makes sense to protect your visitors from this attack type in real-time. Source Defense offers that protection.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.
