OCIE Warns of Increased ‘Credential Stuffing’ Cyberattacks on Investment Advisers, Broker-Dealers

The  Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) has published a risk alert, warning SEC-registered investment advisers, brokers and dealers about the increasing use of a form of cyberattack known as “credential stuffing.” The alert is intended to encourage financial institutions to take a proactive approach to protect themselves and their clients from emerging cyberthreats.

What is credential stuffing, and why is it a risk to financial institutions?

Credential stuffing refers to a method in which an attacker uses a client’s login credentials, including usernames, email addresses and passwords that have been previously obtained through other means, combined with automated scripts that attempt to use those credentials to gain access to client accounts. OCIE notes that these automated attacks can be used to access both web-based user accounts as well as those that utilize a direct network connection, and that the approach appears to be more effective than attacks using a traditional “brute force” approach.

The staff at OCIE has observed an uptick in credential stuffing attacks on advisers and broker-dealers, and some of these have resulted in the loss of customer assets or unauthorized access to customer data. Additionally, illicit access to a client account can be used by attackers to gain access to other elements of a firm’s systems. The alert warns that failure to proactively address this type of threat raises the risk level for firms, “including but not limited to financial, regulatory, legal, and reputational risks, as well as, importantly, risks to investors.”

Practices to help protect firms and client accounts

The success of credential stuffing attacks relies on instances in which individuals use the same password (or minor variations) for multiple websites and accounts, and/or cases where passwords can be easily guessed. Therefore, policies and procedures that address these shortcomings can provide a degree of protection.

The risk alert outlines a number of responses firms have utilized to help protect their systems and client accounts as well as links to additional resources for additional technical guidance:

• Conduct a periodic review of policies and procedures, with a specific focus on updating password requirements to a recognized standard.
• Implement multi-factor authentication (MFA), which uses multiple methods to verify the authenticity of the person seeking to access an account.
• Deploy CAPTCHA, or Completely Automated Public Turing test to tell Computers and Humans Apart, to combat the use of automated scripts and bots.
• Implement controls that detect and prevent attacks, which can include monitoring for a higher-than-usual number of login attempts, use of a Web Application Firewall and other controls that can limit damage in the event an account is taken over.
• Monitor the dark web^[1] for lists of leaked usernames and passwords and perform tests to evaluate whether firm accounts are vulnerable.

There are other considerations that OCIE raises to help firms prepare against credential stuffing attacks. These include making sure customers and staff are adequately informed regarding the need for password strength and security, and understanding the limitations of MFA defenses, which can be vulnerable when mobile phone text messaging systems have been compromised.

OCIE recommendation: Review and update policies and practices

As the prevalence of cyberattacks continues to rise, financial institutions should remain vigilant and proactively address emergent cyber risks. OCIE encourages SEC-registered firms to consider reviewing and updating their Regulation S-P and Regulation S-ID policies and programs in light of the emergent risks posed by credential stuffing, and to make use of methods that would most effectively address those risks.

^{[1] A subset of the internet only accessible through specialized software where attackers can obtain lists of client credentials.}