The news out of Chipotle feels a bit like déjà vu, as it’s a story we’ve all heard before. Reports have appeared all over social media, particularly via Reddit and Twitter, about Chipotle user accounts being pirated, with hundreds of dollars’ worth of food ordered to customer cards that those customers never saw. In many cases, according to reports, the delivery addresses on the fraudulent orders were to states different from the home addresses on the accounts.
There is a bit of a twist in this often-told tale of breached consumer data: Chipotle maintains that the company itself has not been breached. Consumers often repeat passwords across sites, the firm noted, and fraudsters use a technique known as credential stuffing — wherein they’ve taken email addresses and passwords gleaned in other attacks, and used them to brute force their way into customers’ Chipotle accounts.
Chipotle customers, incidentally, beg to differ, with many swearing that their Chipotle passwords were used solely on that site, and that there was no way they were snatched in an unrelated hack. When asked directly, Chipotle Chief Communications Officer Laurie Schalow said the firm is “monitoring any possible account security issues, of which we’re made aware, and continue to have no indication of a breach of private data of our customers.” She further noted that the firm is pretty sure credential stuffing is the root cause in this case.
So, what’s going on? Are the customers wrong? Is Chipotle? It’s probably not that simple, Rich Stuppy, chief customer experience officer at Kount, told PYMNTS in a recent discussion about the breach. It’s actually quite possible that both sides of this debate are completely right.
Multiple Weak Points
The wrong assumption to make here is that there is an either/or situation going on, when the breach being seen could mean more of a both/and situation.
“There is no reason to believe that multiple things aren’t going on here. It could easily be credential stuffing. It could be a unique password that is being taken over with credential stuffing in email [application programming interfaces (APIs)] or other activities. That’s why this is such a difficult problem. These attacks are not one-time events, one particular way. These are multiple events coming at these business[es] and putting them in a really tough spot,” Stuppy said.
A tough spot that is not going to take care of itself, he noted. These attacks keep coming, keep evolving and keep getting more sophisticated.
That means the challenge for merchants is about data and vision. To see something wrong in progress, Stuppy said, businesses need to get a clear image of what a correct customer journey looks like, and where all the touchpoints are along the way. Knowing that means the prevention of attacks. Yet, perhaps more importantly, it also allows businesses to “clear the fog of war” and dig down on individual types of attacks coming at them, and how to repel them.
It’s a tough job, he noted, one that businesses are mostly taking on solo. Consumers are going to reuse passwords; it is not realistic to believe they are going to do anything else.
“It would be great if we lived in a world where consumers followed sound practices, but we don’t,” he said, which is why firms need to be vigilant in the face of fraud that is ever-evolving.
It’s evolving quickly, he noted. The Chipotle attack that is getting so much media coverage today, for example, is already out of fashion.
The Evolving Application Of Credential Stuffing
The brute force of credential stuffing attacks that seem to have happened to Chipotle recently — and DoorDash about a year ago — is already waning in popularity, according to Stuppy. For cybercriminals, that move is already “so six months ago.”
“This is not something that is widely talked about, but credential stuffing is moving toward attacking email APIs because it is much more efficient. And once that email account is compromised, you can target many different businesses, because it allows you to reset a password or sign up for a new service, etc.,” he said.
The increase of those credential stuffing attacks against email APIs, he noted, should be worrisome to everyone, Stuppy noted. First, successful control of someone’s email account can give a cybercriminal a lot of dangerous access. Second, and more importantly, since the systems these apps were built upon have protocols designed in the 90s, there won’t necessarily be an easy or fast fix for the problems.
Today, there are only a handful of tools on the dark web for attacking email APIs, but those tools have rapidly grown quite sophisticated, and they are going to proliferate.
“For example, one of the tools is called Mail Ranger 2. It is a credential stuffing attack on email APIs that comes pre-loaded with 2 million IMAP servers from all over the globe. The only way to disable that tool is to turn off the IMAP protocol. But if you turn off the IMAP protocol, a whole bunch of mail clients instantly stop working,” he explained.
Once cybercriminals own email accounts, particularly in a scaled fashion, that means they can greatly level up the sophistication of attacks they bring down on merchants. Merchants, though, will not be the hacked party, he noted — these hacks will come from outdated email protocols. However, merchants will ultimately need to prepare for them because, as we learned this week, the attacks are coming, even if the attacked party wasn’t hacked at all.
“Merchants are going to have to up their game on their account protection[s], on their login pages, on their password resets — all of that,” Stuppy said. “They are getting criminally attacked with someone else’s data flaw; they’re getting the blame, and it is making their customers really angry and confused — and they’re the victims of the crime. It is another thing in the world that is just not fair to merchants.”