The Securities and Exchange Commission (SEC) cautions that it has observed an increase in cyber-attacks against registered investment advisers (RIAs) and broker dealers (BDs), which, in some cases, has resulted in the loss of customer assets and unauthorized access to customer information.
The Risk Alert by the SEC’s Office of Compliance Inspections and Examinations (OCIE) describes how the uptick in attacks is attributable to what’s called “credential stuffing”—a method of cyber-attack to client accounts that uses compromised client login credentials.
According to the OCIE, the method is an automated attack on web-based user accounts, as well as direct network login account credentials, where cyber attackers obtain lists of usernames, email addresses and corresponding passwords from the “dark web.” The attackers then use automated scripts to try the compromised usernames and passwords on other websites, such as a registrant’s website.
This method apparently is emerging as a “more effective way” for attackers to gain unauthorized access to customer accounts and firm systems than traditional “brute force” password attacks, the Alert advises. When a credential stuffing attack is successful, bad actors can use the access to:
steal assets from customer accounts;
access confidential customer information;
obtain login credential/website information that they can sell to other bad actors on the dark web;
gain access to network and system resources; or
monitor and/or take over a customer’s or staff member’s account for other purposes.
Firms’ information systems—particularly internet-facing websites—face an increased risk of a credential stuffing attack, including systems hosted by third-party vendors. This is because they can be used by attackers to initiate transactions or transfer funds from a compromised customer’s account, the Alert further warns.
Moreover, Personally Identifiable Information (PII) is often available via firms’ internet-facing websites, and once obtained from one firm’s website, can facilitate an attacker’s ability to take over a customer account or seize accounts held by the account owner at other institutions.
According to the OCIE, successful attacks occur more often when:
individuals use the same password or minor variations of the same password for various online accounts, and/or
individuals use login usernames that are easily guessed, such as email addresses or full names.
As such, the OCIE encourages registrants to consider reviewing and updating their Regulation S-P and Regulation S-ID policies and programs to address the emergent risk of credential stuffing.
What’s more, the OCIE urges financial institutions to remain vigilant and proactively address emergent cyber risks. This includes reviewing customer account protection safeguards and identity theft prevention programs, and considering whether updates to such programs or policies are warranted.
In addition, firms are encouraged to consider outreach to their customers to inform them of actions they may take to protect their financial accounts and PII. The practices that firms have implemented to help protect client accounts include:
Policies and Procedures. Periodic review of policies and programs with specific focus on updating password policies to incorporate a recognized password standard requiring strength, length, type and change of passwords practices that are consistent with industry standards.
Multi-Factor Authentication (MFA). Use of MFA, which employs multiple “verification methods” to authenticate the person seeking to log in to an account. The strength of authentication systems is largely determined by the number of factors incorporated by the system—the more factors employed, the more robust the authentication system. When properly implemented, the OCIE notes that MFA can offer one of the best defenses to password-related attacks and significantly decrease the risk of an account takeover.
Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA). Deployment of a CAPTCHA—which requires users to confirm they are not running automated scripts by performing an action to prove they are human—can help combat automated scripts or bots used in such attacks.
Controls to Detect and Prevent. This can include monitoring for a higher-than-usual number of login attempts over a given period, or a higher-than-usual number of failed logins over a given period. Other controls include the use of a Web Application Firewall (WAF) that can detect and inhibit credential stuffing attacks, or limiting online access to fund transfers and accessing PII in the event an account is taken over.
Monitoring the Dark Web. Additional steps include surveillance of the dark web for lists of leaked user IDs and passwords, and performance of tests to evaluate whether current user accounts are susceptible to credential stuffing attacks.