In 2015, many Dunkin Donuts customers paid a lot more than expected for a coffee and donut when $650,000 was paid out in response to a brute force attack used to steal customer’s money through the chain’s website and mobile application. This breach affected 19,715 customer accounts over 5 days, and to make matters worse, the company was hesitant to take ownership of the security flaws and implement a resolution to the vulnerabilities (Coble, 2020). The opportunity for attack due to the weak permission requirements and the lack of response to the breach made Dunkin Donuts an easy target for the attackers.

One of the first lines of defense for an application or information system is the permissions given to authorized users via their username and password. Password complexity plays a big part in providing adequate user permission security strategies, along with the interval for which the password expires and requires updating and re-validation. Industry acceptable best-practices for password complexity varies according to many factors, including the level of access of the user (administrator versus read-only user), controlled standards based on specific regulations involving a customer’s personally identifiable information (such as the Health Insurance Portability and Accountability Act and the Payment Card Industry standard), and individually mandated permission requirements granted and controlled by the IS/application administrator. Malicious agents use weak password complexity and security controls to access information systems by creating scripts to “guess” the user’s password by cycling through various character combinations. This attack method is surprisingly useful for attackers and research has proven that an eight-character password can be compromised in as little as six hours (O’Driscoll, 2020).

For the Dunkin Donuts example, there should have been safeguards in place to recognize the methods used to breach the accounts through the brute force attack and elicit a response to address the issue as soon as it was discovered. One method to address this situation is to lock all user accounts and require reauthorization with different and more secure passwords and offer a two-factor method of authentication. On the front end of the attack, control measures involving user account lockouts after X number of failed attempts and email verification could also circumvent many of the standard brute force attacks.

Question for security practitioners….

Due to the virus, many workers are home-based and exercising remote working scenarios. Cybercriminals are targeting the less secure home-based information systems with brute force attacks with reported attacks on Remote Desktop Protocols (RDPs) increasing nearly 400 percent in March and April alone (O’Driscoll, 2020). What can home-based and remote workers do to help safeguard their personal and corporate information from attackers utilizing brute force or other malicious account breach strategies?

References

Coble, S. (2020, September 21). Dunkin’ Donuts Parent Settles Cyber-attack Lawsuit. Retrieved November 17, 2020, from https://www.infosecurity-magazine.com/news/dunkin-donuts-parent-settles/

O’Driscoll, A. (2020, October 06). What is a Brute Force Attack? Examples & How to Avoid Attacks. Retrieved November 17, 2020, from https://www.comparitech.com/blog/information-security/brute-force-attack/