Reply to post: Re: We encourage all customers not to use the same password for multiple sites

Transport for London Oyster system pulled offline after credential-stuffing crooks board customers' accounts

PrivateCitizen
Black Helicopters

Re: We encourage all customers not to use the same password for multiple sites

With the caveat that I've no idea what happened in this instance, that isn't always a good protection against credential stuffing.

Most attacks will be of the form of the attackers getting a list of usernames (either confirmed if they can enumerate them or a download of what is basically guesses) and will try all of them with 1 - 3 of the most common passwords. The idea is to avoid detection from locking out the accounts or hitting "excessive failed login" thresholds.

If TfL are saying that this is an attack where a list of pwnd email/pw combos from another site have been used in the attack, then thats a different story (and unique UIDs would have helped). But that isn't really credential stuffing (IMHO of course).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2019