Regulation and Compliance State Regulation

SEC Warns of Rise in 'Credential Stuffing' Cyberattacks

News September 15, 2020 at 06:30 PM
Share & Print

. (Photo: Shutterstock)

The Securities and Exchange Commission's exam division is warning about an increase in cyberattacks against advisors and broker-dealers. These involve "credential stuffing," in which bad actors target client accounts via compromised client login credentials and can result in loss of customer assets and unauthorized disclosure of personal information.

The agency's Office of Compliance Inspections and Examinations has observed the credential stuffing in recent exams.

Cyber attackers, the OCIE Risk Alert states, obtain lists of usernames, email addresses and corresponding passwords from the dark web.

Then they use automated scripts to try the compromised user names and passwords on other websites, such as a registrant's website, in an attempt to log in and gain unauthorized access to customer accounts.

"Credential stuffing is emerging as a more effective way for attackers to gain unauthorized access to customer accounts and/or firm systems than traditional brute force password attacks," the alert states.

The alert urges advisors and BDs to periodically review policies and programs with specific focus on updating password policies to incorporate a recognized password standard requiring strength, length, type, and change of passwords practices that are consistent with industry standards.

Firms should also employ multi-factor authentication, which uses multiple "verification methods" to authenticate the person seeking to log in to an account.

Monitoring the Dark Web for lists of leaked user IDs and passwords, and performance of tests to evaluate whether current user accounts are susceptible to credential stuffing attack, should also be performed, OCIE states.

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Kentucky Advisor Accused of Bilking 73-Year-Old Client 5 Ways Trump's Election Could Affect Life and Annuity Players On Today's Ballots: 5 Commissioner Races and a Public LTC Program Millionaire Tax Vote Opens Door to New Clash Over Chicago Wealth Cause of Death Found for Wells Fargo Employee Who Died at Desk State Regulators Find Fraud on the Rise in Digital Assets, Social Media

Resource Center

Can Systematic Risk Be Reduced? link

Guide

Can Systematic Risk Be Reduced?

The Business Model Playbook: Mastering Technology for Firm Success link

Playbook

The Business Model Playbook: Mastering Technology for Firm Success

Harnessing AI to Power Advisor-Client Relationships link

White Paper

Harnessing AI to Power Advisor-Client Relationships