FINRA Regulatory Notice 21-18
FINRA recently released Regulatory Notice 21-18 addressing an increase in customer account takeover attempts (“ATO”). An ATO involves bad actors who utilize customer information, including usernames and passwords, to gain unauthorized access to online accounts, including online brokerage accounts. An ATO often occurs via phishing emails and social engineering attempts. Another issue FINRA identified within its May 12th Regulatory Notice was increased reports of bad actors utilizing synthetic identities to fraudulently open new accounts. FINRA cited accessibility to creating online accounts and increased use of mobile devices due to less accessibility to physical locations because of COVID as reasons for the increase in these attacks.
ATOs have also increased due to the large number of stolen credentials available on the dark web as well as development of sophisticated ATOs, including tools that automate ATO attacks.
The regulatory brief describes processes and procedures that Firms are now implementing to combat attacks:
Password Protection: Many customers utilize the same password across several accounts, making them vulnerable to an ATO. This is also known as credential stuffing. To avoid credential stuffing, Firms often utilize a password manager. A password manager protects accounts by suggesting and saving individual passwords for each login, then automatically filling in the password when a customer accesses an account.
Verifying Identity for Online Accounts: Firms utilize likeness checks to validate identifying information that customers provide on applications, ask applicants follow-up questions based on information sourced from reporting agencies and hire third-party vendors to conduct due diligence.
Authenticating Customers’ Identities During Login Attempts:
Multi-Factor Authorization: Many Firms encourage customers to utilize multi-factor authorization which requires more than one factor or input to access a system, including password and code sent via text message.
Adaptive Authentication: This technique assesses the risk of a login attempt and then applies a particular validation factor. For example, If a customer is signing in from a new location, they may be asked for additional information to verify their identity.
Back-End Monitoring Controls: Firms conduct ongoing surveillance of accounts for irregularities and credential stuffing. Firms also monitor emails from customers for red flags and scan the dark web for information that bad actors could utilize to gain unauthorized access to an account.
Reporting Customer ATOs: To proactively address customer reported ATOs, Firms have established dedicated fraud groups to investigate ATOs. Firms also provide methods for customers to communicate quickly with a Firm representative and continually remind customers of security recommendations.
Automated Threat Detection: Firms deploy automated processes to detect questionable actions by attackers. Processes include web application firewalls, isolating suspicious IP addresses and instituting geographic-based controls.
Investor Education: Educating customers about account security has become a priority for Firms. Firms include cybersecurity informational content in statements for senior investors and in onboarding packets for new customers.