On September 15, 2020, the Office of Compliance Inspections and Examinations (“OCIE”) issued a risk alert regarding its recent observation of growing “credential stuffing” attacks against SEC-registered investment advisers and broker-dealers (“firms”). These attacks use compromised usernames and passwords from the dark web to access investors’ accounts. The increase in credential stuffing exploits presents considerable financial, legal, and reputational risks. OCIE’s alert encourages firms to consider various mitigation efforts to reduce the risk of credential stuffing, particularly the use of multi-factor authentication (MFA). Although the alert is phrase as encouragement, OCIE is certainly suggesting that the industry standard should be for firms to protect against these attacks, even those these attack stem primarily from a client’s behavior in re-using username/password combination and another website’s loss of that combination.
Credential Stuffing. Credential stuffing is a unique type of cyber-attack in which the attackers first obtain lists of usernames, email addresses, and corresponding passwords from the dark web (after being stolen from another website). This attack only works because many people reuse usernames and passwords. The attackers then use automated scripts to enter those names and passwords on firm sites to attempt to gain access to investors’ accounts and steal assets or information. This can affect both web-based user accounts as well as direct network login account credentials.
Suggested Solutions. In the risk alert, OCIE identified several practices that it observed firms taking, which helped protect against credential stuffing attacks:
- Update Policies and Procedures. Firms should regularly review and update policies and programs, including those mandated by Regulations S-P and S-ID, and should apply strong password policies. By requiring stronger passwords, it becomes more difficult to re-use passwords.
- Implement MFA (“Multi-Factor Authentication”). Firms can use MFA to authenticate individuals logging into accounts. Adding addition factors to the login process will help protect against credential stuffing attacks, because attackers will not have access to the additional factors needed for access. The risk alert, however, warned that firms should be aware that MFA methods using mobile phones carry some risk and should communicate that to investors.
- Use CAPTCHA (“Completely Automated Public Turing test to tell Computers and Humans Apart”). Firms can use a CAPTCHA, which requires users to prove they are human before logging in, to prevent the use of bots or automated scripts on login.
- Install Controls. Firms can apply various controls to detect and prevent credential stuffing attacks, including i) monitoring for numerous logins, ii) using firewalls to deflect credential stuffing attacks, and iii) limiting online access to fund transfers and PII.
- Watch the Dark Web. Firms can monitor the dark web for lists of leaked user credentials, or hire one of the firms that will monitor the web for them or alert when a client is using a username/password combination that is known to be compromised.
While not all of these measures may be appropriate for smaller firms, all firms should review their current practices to confirm they are doing what they can to prevent these dangerous attacks. Some of the most basic measures, like strong password requirements and use of MFA, can significantly reduce the risk of these attacks.