Hackers have an unending appetite to steal and then slice and dice personally identifiable information (PII). This week, the industry has learned about a ransomware attack on Subway and more recently, a credential-stuffing attack on another popular eatery: Jason’s Deli.
In a filing with the state of Maine, officials at Jason’s Deli reported that more than 344,000 people may have been exposed, while Subway launched an investigation after the LockBit ransomware group claimed Jan. 21 that it had hacked into the company’s computer systems and stole a large amount of personal data.
Jason’s Deli reported in a letter to its customers that it learned on Dec. 21 that an “unauthorized party” obtained an unknown number of “Deli Dollar” and online account log-in credentials, most likely from other data breaches or other sources not involving the restaurant chain.
“These unauthorized parties apparently used these login credentials to determine if they matched those of our reward and online accounts,” said the company. “For example, if you utilized the same user name and password combination to open your Jason’s Deli account that was used on another website or account with a company that may have been compromised in the past, this would theoretically allow them access to your Jason’s Deli account.”
The company added that it believed the incident was not a result of the unauthorized party hacking into Jason’s Deli system to obtain the information because they do not store or retain customer log-in credentials.
How MFA can help protect against credential stuffing
While Jason’s Deli recommended that customers change their usernames and use stronger passwords, it did not say anything about multi-factor authentication (MFA), which security pros say is very much needed in this situation. An effort to reach Jason’s Deli to comment on the MFA issue was unsuccessful as of this writing.
“While ‘just implementing MFA’ does seem like too easy of a fix, it actually is,” said Ira Winkler, chief information security officer at CYE. “Credential stuffing relies upon users reusing passwords across multiple accounts, and at least one of those accounts being compromised and the credentials being sold or available on the dark web or other sources. Criminals just take lists of compromised credentials and automate entering those credentials into other websites, frequently retail or banking, to compromise the users on those systems.”
Winkler said implementing MFA makes the attacks exponentially more difficult because if a user does reuse the password on the website being "stuffed," the attack stops in its tracks unless the criminal has implemented an elaborate system to compromise the MFA. Ideally, such MFA tools do not rely upon a simple push confirmation, where a user gets a request on their mobile device for them to simply approve. With push notifications, MFA-fatigue attacks cause users to just accept a log-in request. The potential victim websites should ideally have a system that requires more active actions on the users’ part than a simple confirmation, or put holds on an account if the user rejects an MFA push, said Winkler.
Cybercriminals who use credential-stuffing techniques are not particularly targeting sub shops, said Joseph Carson, chief security scientist and Advisory CISO at Delinea, when asked why all of a sudden the rash of attacks on sandwich shops and delis.
“But those online services do not have protection against credential-stuffing attacks in place, and they rely on their users to choose unique, strong passwords,” said Carson. “Unfortunately, most of these attacks are opportunistic, hunting for sensitive data that can be sold or abused later. This includes credit card information or sensitive personal information that can be used for identity theft.”
Omri Weinberg, co founder and CRO at DoControl, made two points about these attacks on sub shops and delis.
First, Weinberg said consumers are likely to reuse a password for something they deem less important, such as a restaurant loyalty club or sign in to a forum, as opposed to their bank or investment website. Second, attackers may assume that retail and restaurant security teams are less sophisticated since those types of businesses tend to run on tight margins.
“The root of this problem is reuse of passwords by users, in this case, Jason's Deli's customers and loyalty members,” said Weinberg. “If these users maintained a different password for every online account they create, then the compromise of another set of credentials could not affect Jason's Deli — or anyone else. Unfortunately, there’s no way for Jason's Deli or any organization to enforce the use of a unique password. The solution for this problem ultimately doesn't lie with Jason's Deli or any organization per se, but really with better education and consumer behavior online.”