Transport for London (TfL) was forced to temporarily suspend the website for its Oyster system this week after an apparent credential stuffing attack on customers.
The top-up card allows users to travel around the capital on Tube, bus and Overground services, adding to and checking their balance online or at ticket machines.
However, the website is currently ‘down for maintenance’ and a statement from the transport service suggests a credential stuffing attack.
“We believe that a small number of customers have had their Oyster online account accessed after their login credentials were compromised when using non-TfL websites,” a spokesperson claimed.
“No customer payment details have been accessed, but as a precautionary measure and to protect our customers’ data, we have temporarily suspended online contactless and Oyster accounts while we put additional security measures in place. We will contact those customers who we have identified as being affected and we encourage all customers not to use the same password for multiple sites.”
Credential stuffing is an increasingly popular tactic, exploiting the huge volumes of stolen passwords on the dark web and the fact that users tend to reuse these log-ins across multiple sites. A hacker only has to get lucky 1% of the time to reap a decent ROI from these automated attacks. Attacks are estimated to cost EMEA firms as much as $4m each year.
Dashlane CEO, Emmauel Schalit, argued that password management has become too difficult for the average internet user.
“Dashlane has found that the average internet user has over 200 digital accounts that require passwords, and the company projects this figure to double to 400 in the next five years. Managing passwords for them all has become incredibly hard,” he explained.
“We then bury our heads in the sand and ignore this problem, use the same password everywhere thinking everything is fine, and then we get hacked. Everyone should have a unique password for every one of their digital accounts. This ensures that even if one account is breached your other accounts will be secure. This is the digital version of the ‘containment’ doctrine; if one account is compromised the damage will not spread.”
The answer is to use a password manager, he added, although best practice should extend to switching on two-factor authentication for all websites and apps.