On September 15, 2020, the Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released a new risk alert with new information pertaining to an increase in the number of cyberattacks observed in recent examinations of SEC-registered registered investment adviser (“RIA”) firms using credential stuffing. “Credential stuffing is emerging as a more effective way for attackers to gain unauthorized access to customer accounts and/or firm systems than traditional brute force password attacks.”
Credential stuffing is a cyber attack in which credentials obtained from a former data breach from one service or website are used to attempt to log in to another unrelated service or website. For example, an attacker may use a list of passwords obtained from a major data breach and use the same log in credentials to try and access RIA firm systems or individual client accounts. When a credential stuffing attempt is successful, bad actors may be able to gain access to other client or employee accounts with similar iterations. “OCIE staff has observed an increase in the frequency of credential stuffing attacks, some of which have resulted in the loss of customer assets and unauthorized access to customer information.” The risk alert notes, "Successful attacks occur more often when (1) individuals use the same password or minor variations of the same password for various online accounts, and/or (2) individuals use login usernames that are easily guessed, such as email addresses or full names."
Firm’s internet-facing websites (including systems hosted by third-party vendors) are the most vulnerable because if compromised, attackers can initiate transactions and/or gain access to non-public information (“NPI”).
The risk alert suggests these best practices to consider to help mitigate the risk of credential stuffing attacks:
- Policies and Procedures: RIA firms should review their own and third party vendors' policies and procedures with specificity around password strength, length, type, and change frequency to ensure consistency with industry standards. For example, recent guidance from the National Institute of Standard and Technology ("NIST") recommends that password changes should only be required when there is evidence that an account may have been compromised.
- Multi-Factor Authentication (“MFA”): Use MFA and properly implement MFA at the firm. When possible, firms should try and avoid using mobile phone text messages as a form of MFA as it is possible for mobile phones to be compromised and such messages intercepted by bad actors. In addition, firms should work to ensure that any security questions used as a form of MFA are not susceptible to social engineering attacks.
- Completely Automated Public Turing test to tell Computers and Humans Apart (“CAPTCHA”): Stuffing attacks may use scripts or bots to execute the attack. Firms should consider utilizing CAPTCHA systems when possible to confirm the user attempting to login is a human.
- Controls to Detect and Prevent: Implementation of a Web Application Firewall (“WAF”) that monitor and detect logins, browser system language, and time zones, etc. can help detect and prevent credential stuffing attacks.
- Monitoring of the Dark Web: Firms should try and monitor the dark web to stay informed about major data breaches of other online services of websites.
Firms should remain vigilant and encourage employees and clients to familiarize themselves with the firm's policies and procedures in the event of a cyberattack. “OCIE encourages firms to review their customer account protection safeguards and identity theft prevention programs and consider whether updates to such programs or policies are warranted to address emergent risks.”
Be sure to check back soon as we continue to provide updates on relevant RIA regulatory compliance focus areas.