The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) has observed an increase in credential stuffing attacks.
What is Credential Stuffing? Bad actors target client accounts via compromised login credentials. This can result in a loss of customer assets and unauthorized disclosure of personal information.
To carry out a credential stuffing attack, cyber attackers obtain lists of usernames, email addresses and passwords from the Dark Web, then use automated scripts to try and gain access to customer accounts with the login credentials garnered from the Dark Web.
The OCIE released a Risk Alert that stated, “Credential stuffing is emerging as a more effective way for attackers to gain unauthorized access to customer accounts and/or firm systems than traditional brute force password attacks.”
In order to try and minimize hacking attempts, the OCIE urges broker-dealers and advisors to review policies and procedures on a regular basis to ensure strong password policies. The OCIE also recommends the following:
- Require certain length and strength for passwords;
- Update passwords on a consistent basis;
- Employ multi factor authorization;
- Monitor the dark web for leaked lists of user IDs and passwords;
- Evaluations of whether user accounts are vulnerable to credential stuffing attacks; and
- Deploying Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA).
The Risk Alert also identified several observations including:
- Firm’s information systems, particularly Internet-facing websites face an increased risk of a credential stuffing attack, including systems hosted by third-party vendors;
- Personally Identifiable Information is often available via a Firm’s Internet-facing website, allowing hackers to not only gain access to one account, but to also gain access to accounts held at other institutions;
- Attacks occur more often when individuals make minor variations to an existing password instead of creating an entire new password and when individuals use easily guessable logins such as email addresses and full names.