Recently, the Office of Compliance Inspections and Examinations (“OCIE”) released an alert to broker-dealers and registered investment advisers regarding the risks associated with credential stuffing. See https://www.sec.gov/files/Risk%20Alert%20-%20Credential%20Compromise.pdf.
Credential stuffing is an automated attack on web-based user accounts and direct network login account credentials. Cyber attackers obtain lists of usernames, email addresses, and corresponding passwords from the “dark web,” and then use automated scripts to try to compromise user names and passwords on other websites. OCIE believes that credential stuffing is emerging as a more effective way for attackers to obtain unauthorized access to customer accounts and/or BD or RIA firm systems rather than traditional “brute force” password attacks, attempts to guess a password using numerous combinations. The successful attack, using either method, allows access to customer accounts and, possibly, the firms’ systems, allowing for the theft of customer and firm accounts.
The OCIE staff observed an increase in the frequency of credential stuffing attacks, and BD and RIA failures to mitigate the risks of such attacks. The findings included problems with the use of systems hosted by third-party vendors and personally identifiable information (“PII”) through the website of BD or RIA. Such use would facilitate an attacker’s ability to control a customer account at the firm or the customer’s accounts at other institutions according to the OCIE report.
OCIE determined that customers using the same password or login usernames were a prime target for these attacks. Further, OCIE suggested that firms update their Regulation S-P and Regulation S-ID policies and programs to address these risks. Similarly, OCIE found certain practices could protect client accounts, including, but not limited to: (1) policies and procedures relating to updating and improving passwords; (2) employing Multi-Factor Authentication (“MFA”), where multiple “verification methods” authenticate the person logging in to an account; (3) Completely Automated Public Turing test to tell Computers and Humans Apart (“CAPTCHA”), requiring users to confirm they are actual humans and not automated scripts; (4) improving controls to detect and prevent multiple login “fingerprints” for sessions, along with the use of a web application firewall (“WAF”) to detect and inhibit credential stuffing attacks; and (5) monitoring the dark web.
Firms should consider their current practices, and any potential limitations of those practices. Further, firms should consider if the firm’s customers and staff are properly informed on securing their accounts. If not, OICE strongly recommends that improvements be made quickly.
In sum, BDs and RIAs should remain vigilant and proactively address emergent cyber risks; review their customer account protection safeguards; identity theft prevention programs; and consider updating such programs or policies as necessary. Firms should seek out experienced securities counsel to assist in these tasks and engage their customers in this process because, like the Pandemic, we are all in this together.