The staple of fast food restaurants in the U.K – Nando’s – has seen its customers robbed of hundreds of pounds out of their bank accounts, after an apparent breach of payments information.
But this does not happear to be a simple Data Breach as payment-card information is not stored within Nando’s accounts, leaving some questions as to how the hacks occurred.
It would seem like this was a massive credential-stuffing attack (as the company confirmed last week).
Credential-stuffing is a pretty common attack this day, whit hackers taking full advantage of automated tools to try and match combinations of password and emails already exposed in previous massive leaks.
This is done through pure brute forcing of the credentials until a match has been found. Then they just proceed with a standard account takeover.
According to the Mirror, usernames and passwords were stolen and the accounts used to place high-volume orders.
As per standard account takeover practice, mobile numbers were also changed on the impacted accounts.
“We can confirm that while our systems have not been hacked, unfortunately some individual Nando customer accounts have been accessed by a party or parties using a technique called credential-stuffing, whereby the customer’s email address and password have been stolen from somewhere else and, if they use the same details with us, used to access their Nando’s accounts,” Nando’s said in a press statement.
“We take immediate action to refund anyone who has been impacted and secure those affected Nando’s accounts.”
“We have made and are continuing to make investments to improve our detection and prevention of suspicious and malicious activity. We apologize to our customers who have been impacted by this.” They added.
Because of COVID-19, Nando’s customers must place an order online or by using a QR code. A practice all too common these days.
They’re then prompted for their payment details, but customers said that those details aren’t stored in the account.
Nando’s is not the first, credential stuffing is on the rise
This attack shouldn’t come as a surprise, at the beginning of last year, a report came out that “Hackers Are Passing Around a Megaleak of 2.2 Billion Records, but this could be only the tip of the iceberg.
Because this type of attack alone has a low possibility of success, Hackers are now leveraging botnets to try and pump the numbers of – we are talking millions and millions of attempts per day – attempts.
They problem has become so serious that even the FBI spoke about it, with some recommendations from its cyber divisionfor mitigating these attacks:
- Alert customers and employees these attacks are being made and actively monitor accounts for unauthorized access, modification, and anomalous activities.
- Advise customers and employees to use unique passwords that are not being used for any other accounts and to change their passwords regularly.
- Direct customers to change their usernames and passwords upon identification of account compromise or fraud.
- Validate customer credential pairs against databases of known leaked usernames/passwords.
- Modify Internet banking login page responses to remove indicators that reveal the validity of credential pairs by issuing the same error message and response time when both username and password are incorrect or only the password is incorrect.
- Establish company policies to contact the owner of an account to verify any changes to existing account information.
- Establish multifactor authentication (MFA) for creating and updating account information, especially for bank, insurance, and trading accounts, as well as for providing initial account access to financial aggregator services.
- Use anomaly detection tools that identify an unusual increase in traffic and failed authentication attempts.