The Securities and Exchange Commission (“SEC”) recently issued a Risk Alert addressing client account credential compromises against SEC-registered investment advisers (“advisers”) and brokers and dealers (“broker-dealers,” and together with advisers, “firms”). These compromises utilized “credential stuffing”, which is a method of cyber-attack to client accounts that uses compromised client login credentials, resulting in the possible loss of customer assets and unauthorized disclosure of sensitive personal information.
Overview
Credential stuffing is an automated attack on web-based user accounts as well as direct network login account credentials. Cyber attackers obtain lists of usernames, email addresses, and corresponding passwords from the dark web, and then use automated scripts to try the compromised user names and passwords on other websites, such as a registrant’s website, in an attempt to log in and gain unauthorized access to customer accounts.
Credential stuffing is emerging as a more effective way for attackers to gain unauthorized access to customer accounts and/or firm systems than traditional brute force password attacks. When a credential stuffing attack is successful, bad actors can use the access to the customer accounts to gain access to firms’ systems, where they are able to steal assets from customer accounts, access confidential customer information, obtain login credential/website information that they can sell to other bad actors on the dark web, gain access to network and system resources, or monitor and/or take over a customer’s or staff member’s account for other purposes.
Firms’ information systems, particularly internet-facing websites, face an increased risk of a credential stuffing attack. This includes systems hosted by third-party vendors. Firms’ internet- facing websites are vulnerable to attack because they can be used by attackers to initiate transactions or transfer funds from a compromised customer’s account. In addition, Personally Identifiable Information (PII) is often available via firms’ Internet-facing websites. Obtaining a customer’s PII from one firm’s website can facilitate an attacker’s ability to potentially take over a customer account or attack accounts held by the account owner at other institutions.
Successful attacks occur more often when (1) individuals use the same password or minor variations of the same password for various online accounts, and/or (2) individuals use login usernames that are easily guessed, such as email addresses or full names.
Suggested Responses
The SEC encourages registrants to consider reviewing and updating their Regulation S-P and Regulation S-ID policies and programs to address the emergent risk of credential stuffing, including the utilization of a number of the following practices which have been utilized to help protect client accounts:
- Password Standards. Periodic review of policies and programs, with a specific focus on updating password policies to incorporate a recognized password standard requiring strength, length, type, and change of passwords practices that are consistent with industry standards.
- Multi-Factor Authentication (“MFA”). Use of MFA, which employs multiple “verification methods” to authenticate the person seeking to log in to an account. The strength of authentication systems is largely determined by the number of factors incorporated by the system. To this end, the more factors employed, the more robust the authentication system. In this regard, MFA may provide more robust authentication than two or one-factor methods of authentication.
- Completely Automated Public Turing test to tell Computers and Humans Apart (“CAPTCHA”). To combat automated scripts or bots used in the such attacks, deployment of a CAPTCHA, which requires users to confirm they are not running automated scripts by performing an action to prove they are human (e.g., identifying pictures of a particular object within a grid of pictures or identifying words spoken against a background of other noise).
- Controls to Detect and Prevent. To address credential stuffing, firms have also taken other steps, including (i) implementing of controls to detect and prevent credential stuffing attacks. This can include monitoring for a higher-than-usual number of login attempts over a given time period, or a higher-than-usual number of failed logins over a given time period; (ii) utilizing tools to collect information about user devices and create a “fingerprint” for each incoming session. The fingerprint is a combination of parameters such as operating system, language, browser, time zone, user agent, etc. For example, if the same combination of parameters logged in several times in rapid sequence, it is more likely to be a brute force or credential stuffing attack; (iii) utilizing a Web Application Firewall (“WAF”) that can detect and inhibit credential stuffing attacks; and (iv) offering or enabling additional controls that can prevent damage in the event an account is taken over, such as controls over, or limiting online access to, fund transfers and accessing PII.
- Client Education. Most firms require customers and staff to create and use strong passwords. However, the use of passwords is less effective if customers and/or staff re-use passwords from other sites. To be more effective, some firms are informing and encouraging clients and staff to create strong, unique passwords and to change passwords if there are indications that their password has been compromise.
Summary
As firms prepare for credential stuffing attacks, the SEC encourages firms to consider their current practices (e.g., MFA and other practices described above) and any potential limitations of those practices, and to consider whether the firm’s customers and staff are properly informed on how they can better secure their accounts.
With the above in mind, advisers and broker-dealers should remain vigilant and proactively address these emergent cyber risks, or run the risk of being deemed to have a flawed cybersecurity platform. It is important to remember that it is important to remember that with respect to cybersecurity, firms are always judged in hindsight, and not just on the basis of client losses.