Neiman Marcus Reports New BreachWeak Authentication Cited in Latest Attack on Customer Accounts
A recent breach of customer accounts at luxury retailer Neiman Marcus is, once again, putting the spotlight on the vulnerabilities created by relying only on usernames and passwords for online authentication. Until businesses and banking institutions start forcing consumers to use other types of authentication methods, such as biometrics, mobile verification codes and geo-location, merchants and banks can expect more hackers to breach customer accounts.
"This type of fraud will only grow more pervasive as criminals recognize and take advantage of the opportunity presented by on-file accounts protected by weak authentication," says Al Pascual, head of fraud and security at Javelin Strategy & Research.
On Jan. 29, Neiman Marcus notified potentially affected online customers and the California attorney general of a breach that it says compromised an estimated 5,200 accounts.
On or about Dec. 26, 2015, hackers attempted to access online accounts by trying various login and password combinations using "automated attacks," Neiman Marcus reports. Online accounts impacted by the breach are connected to several Neiman Marcus Group brands, including its Bergdorf Goodman, Last Call, CUSP, Horchow and Neiman Marcus stores, the company says.
"We suspect this activity was due to large breaches at other companies (not the Neiman Marcus Group), where user login names and passwords were stolen and used for unauthorized access to other accounts, such as the NMG online accounts, where a user may use the same login name and/or password," the luxury retailer points out in its breach notice. "At present, all indications are that the Neiman Marcus Group database of customer email addresses or passwords remains safe, and that our cyber-defenses repelled more than 99 percent of the attacks."
Although Neiman Marcus says its fraud team detected unauthorized purchases made from approximately 70 accounts and credited the affected customers for those purchases, the attackers were able to access some customer information.
"The online account [details] the intruders were able to view include basic contact information, purchase history and only the last four digits of credit card numbers," Neiman Marcus says. "No sensitive information, such as Social Security numbers, dates of birth, full financial account numbers, or PIN numbers, is visible through online accounts."
Neiman Marcus is advising affected customers to change their online passwords and warning them to be on the lookout for phishing attacks.
How Hackers Get In
Breaches along the lines of this most recent Neiman Marcus incident are becoming more common because criminals can gather information about consumers on social media and then pair it with PII - as well as usernames and passwords - they have compromised in data breaches or purchased in underground forums.
"These bad guys are assembling portfolios of individuals," says financial fraud expert Avivah Litan, an analyst at consultancy Gartner. "They've got a big database of American citizens and all the data associated with their identity, and lots of different people are buying up this data on the Dark Web. Some of them are cybercriminals trying to break into banks; some of them are terrorists trying to launder money; and others are typically nation states, trying to get something out of U.S. companies. And they're using this data to get to their targets."
Because many online users use the same username and password for multiple accounts, once those credentials are compromised, hackers can use them to access accounts on various websites (see Breached PII: Growing Fraud Worry).
"This is a problem that is solved by user education and the ease and simplicity of password vaults and safes that are easy and efficient to use," says Chris Pierson, chief security officer at invoicing and payments provider Viewpost. "Hackers are definitely using the same username/password credentials from other hacks to see if they can get access to other sites."
A Mitigation Step
To help mitigate this threat, organizations need to carefully consider whether they need to store any PII, and if so, make sure it's encrypted, says William Murray, an independent payments security consultant.
"Many, not to say most, retailers need not store PII," Murray says. "They can use third parties to grant credit and proxies to collect the money."
Even customer contact information stored for marketing purposes should be encrypted, Murray stresses. The 2013 data breach at Target, for example, exposed customer contact information for up to 70 million customers.
Another powerful tool in the effort to thwart breaches, of course, is stronger authentication that goes far beyond username and password, Murray stresses.
"Google, Dropbox, Apple, Amazon, PayPal, and a dozen other consumer applications, even my little three-branch community bank, already offer their customers strong authentication," he says. "It is the consumer and the next rank of enterprises that we must convince."
Pascual says merchants and banking institutions have a vested interest in shoring up this potential security gap by strengthening online authentication. When online accounts are compromised, banks and businesses run the risk of brand damage if their customers' accounts are exposed, he adds.
"Mitigating these types of account takeovers is critical to maintaining customer loyalty, as nearly one in four fraud victims in 2015 avoided merchants post-fraud," Pascual says. "Not actively managing for that type of revenue risk would be inexcusable and wholly endemic of the kind of disconnect we see between security and the profitable parts of merchant organizations."
Pierson questions, however, whether the latest Neiman Marcus incident was, indeed, tied to hackers trying various combinations of usernames and passwords.
"It is possible that Neiman Marcus customer usernames and emails, which are normally not encrypted, were compromised at some point in the past," Pierson says. "It is also possible that the hashed passwords, depending on the type of hash used and whether these were salted, could reveal whether many of these values could be indexed or known. Since this appears to be a dedicated attack, it is less likely that this was random username/password guessing, and instead, based on a more probable certainty that users had a Neiman Marcus account."