SEC’s Cybersecurity Risk Alert Regarding Credential Stuffing

October 15, 2020

The Securities & Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) recently issued a risk alert to broker-dealers and investment advisers highlighting an increase in a particular type of cyber crime: credential stuffing.

Credential stuffing occurs when a cybercriminal obtains a username, possibly the email address, and password of a web-based user account. The criminal then applies this information to the other accounts the user may have in order to gain access and control of the accounts. Because so many users have the same username and password to most or all their online accounts, the criminal is often successful. Credential stuffing is not new, but its recent increased prevalence has prompted OCIE to alert investment advisers and broker-dealers to take some basic steps to protect themselves, their clients or customers and affiliated third parties.

How Data Is Obtained/Stolen

Hackers can obtain access to a user’s computer or use malware to record keystrokes to obtain a username and password. An even easier method is to send an email or text to a user with a link instructing the user to change his or her password.

Criminals can also purchase lists of usernames and passwords on the dark web that is part of the internet not visible to search engines, requires the use of an anonymizing browser and is widely used by criminals. In addition to usernames and passwords, criminals can, on the dark web, buy credit card numbers, stolen medical and subscription data, and hire hackers to gain access to a client’s usernames and passwords.

What Should an Investment Adviser or Broker-Dealer Do?

OCIE recommends that advisers and broker-dealers take the following steps to combat credential stuffing:

  • Policies and Procedures. Firms should review and update their Regulation S-P and Regulation S-ID policies and programs. Firms should also review and test their cybersecurity policies and procedures, which every investment adviser and broker-dealer should have. Examples of testing include desktop exercises and penetration tests.

• OCIE noted that firms have been updating password policies to “incorporate a recognized password standard requiring strength, length, type, and change of passwords practices that are consistent with industry standards.”

• Firms should also consider reviewing the systems and red flags set up to detect suspicious transactions and suspicious behavior under Anti-Money Laundering procedures. A cybercriminal who obtains an advisory or brokerage account user’s login information using credential stuffing will likely begin selling securities, withdrawing money or engaging in other activity that is perhaps not typical for the client or customer. AML procedures and systems may help flag that behavior.

  • MFA and CAPTCHA. Perhaps the most important suggestion in the alert is the use of Multi-Factor Authentication (“MFA”). MFA requires multiple verification methods to authenticate the person seeking to log in to an account, such as receiving a text to your phone with a code in order to log into an account via the Internet. Investment advisers and broker-dealers should consider MFA if customers and clients can access accounts via the Internet. Firms can also use Completely Automated Public Turing test to tell Computers and Humans Apart (“CAPTCHA”). This requires a user to act to prove he or she is human. The most common test that you have likely seen before requires selecting pictures of a particular object within a grid of pictures, such as “click on all the pictures with palm trees in them.”

Other Preventative Steps. Other preventative steps suggested by OCIE to detect and prevent credential stuffing include:

• monitoring for higher-than-usual user login or failed-log-in attempts over a certain period;
• using a Web Application Firewall to detect and inhibit credential stuffing attacks;
• monitoring the dark web; and
• providing data protection educational material to employees, clients and customers.

  • Passwords. The OCIE risk alert includes a discussion on passwords. The alert dispels the myth that passwords must be changed regularly. According to OCIE, passwords do not need to be changed unless they are compromised. The National Institute of Standards and Technology (“NIST”) has provided this guidance for some time now. The NIST is a division of the Department of Commerce, that provides a number of services, including guidance and support regarding cybersecurity programs.

Suggestions for Educating Clients and Customers

Following is information that advisers and broker-dealers may consider providing as educational material to their clients and customers. If a user receives an electronic communication about updating, confirming or changing a web-based account, consider taking the following steps:

  • Confirm that the email and related links are legitimate. Note that often the link or email address from where the communication came often has the name of a legitimate company in it but it may be misspelled or include random numbers and letters. This is a sign that the communication is not legitimate.
  • Do not click on any links in the communication. Even if you just click and look around but do not enter information you may have exposed your personal computer or phone to a virus or malware.
  • Delete the message if you cannot confirm the emails and related links are legitimate.
  • Call the company that the message supposedly comes from, or log on directly the company’s web site how you normally would (DO NOT CLICK ON A LINK IN THE MESSAGE YOU RECEIVED). Review your account information to be sure there is no fraudulent activity. Consider changing your password if it has been compromised.

S&K Observations

OCIE’s risk alert is not just limited to credential stuffing. It offers sound advice about revisiting, reviewing, enforcing and improving investment adviser and broker-dealer cybersecurity and data protection policies and procedures. The alert advises that investment adviser and broker-dealers to educate their employees, clients and customers on cybersecurity risks including credential stuffing. Seward & Kissel’s Investment Management Group is available to assist you with any questions about the OCIE risk alert and developing or improving your data security and cybersecurity plans.