SEC warns of ‘credential stuffing’ cyberattacks

The Securities and Exchange Commission is urging advisers and broker-dealers to ramp up cybersecurity practices after seeing an uptick in cyberattacks, that specifically use a technique called “credential stuffing,” during recent examinations.

The practice, according to the SEC, is a type of attack involving stolen credentials, which are used to log into web-based systems of firms to access client funds.

Criminals seek access to login credentials by utilizing special programs that troll the dark web for usernames, email addresses, and passwords, according to Amy Lynch, president of FrontLine Compliance and former SEC examiner. “Credential stuffing has become the go-to method of obtaining login credentials, as opposed to traditional password attacks,” she said. 

The method has resulted in the loss of customer assets and unauthorized access to customer information. 

“The failure to mitigate the risks of credential stuffing proactively significantly increases various risks for firms, including but not limited to financial, regulatory, legal and reputational risks, as well as, importantly, risks to investors,” according to the OCIE’s alert. 

While the regulator did not quantify the increase, it was significant enough to issue a risk alert outlining the dangers of credential stuffing, according to what the SEC’s Office of Compliance Inspections and Examinations.

Cybersecurity has become an increased concern given the current environment. With remote work, every firm has become dependent on an expanding digital infrastructure, which in turn, has made advisers vulnerable to cybercriminals and foreign adversaries. 

There are plenty of action items advisory firms can take to mitigate the heightened risk, according to Lynch. First, she said, update your firm’s written policies and procedures to cover this new type of attack by updating password protocols to require frequent changing and strong passwords by length and type — not re-using passwords across systems. 

Next, firms should use multi-factor authentication for system logins to verify access of employees while using CAPTCHA technology to prevent program trolls from system access, Lynch said. Moreover, advisers should use a web application firewall to serve as an additional protection for specific firm applications. 

Advisers, too, can monitor systems for failed login attempts to find patterns or high-volume attempts, Lynch said. 

For client facing actions, advisers can limit online account transfers and withdrawals of funds. Advisers can also educate clients to ensure they understand the limits of text message codes as an authentication method since they are phone number specific and attached to the number, not the device itself, according to Lynch. 

Increased protection for investor and consumer data has been an ongoing concern for the industry. 

“Cybersecurity attacks are increasing, especially with many firm employees now working from home,” Lynch said. “This alert serves as a notification to firms that they need to be aware of this new risk type and take action to update policies and to monitor for it.”

Related Topics: Cybersecurity, FrontLine Compliance, Securities and Exchange Commission