OCIE Warns Against Emerging Cyber Threat of “Credential Stuffing”
On September 15, 2020, the Office of Compliance Inspections and Examinations (“OCIE”) issued an alert urging investment advisers and broker-dealers to review their customer account protection safeguards and identity theft prevention programs. The impetus behind the alert is an increase in the number of cyber-attacks using a tactic called “credential stuffing,” observed during recent examinations.
The term applies to a sophisticated method attackers are using for gaining access to web-based and networked customer accounts. OCIE explained that credential stuffing involves attackers who “obtain lists of usernames, email addresses, and corresponding passwords from the dark web and then use automated scripts to try the compromised user names and passwords on other websites, such as a registrant’s website, in an attempt to log in and gain unauthorized access to customer accounts.”
OCIE disclosed a number of practices firms are using to mitigate this emergent risk. These include: (i) reviewing and updating policies and procedures on password protections; (ii) incorporating the use of a more robust multifactor authentication system; (iii) deploying a “CAPTCHA” test to combat automated bots used in these attacks; (iv) implementing additional controls like specialized log-in attempt monitoring (“fingerprinting”) to detect and inhibit attacks; and (v) using another layer of controls over fund transfers and access to personally identifiable information. OCIE also warned that the use of multifactor authentication programs using mobile phones “is not foolproof,” and that firms should remain alert to mobile number transfers from phone to phone.
OCIE warned firms to proactively address these emergent cyber risks, review their programs, policies and practices, and to communicate with their customers as to how they may take steps to protect their accounts and other sensitive information.
For additional information and assistance, please follow the links below to Bates Group's Practice Area pages: