Hackers Never Sleep: OCIE Warns of New Cyberattacks Against RIAs and BDs
While hacking is certainly not new, cyberattacks continue to evolve and become more creative and dangerous. The latest iteration of hacking involves “credential stuffing.” The Office of Compliance Inspections and Examinations (“OCIE”) has noticed an increase in the number of credential stuffing attacks which has led the OCIE to issue a Risk Alert to warn Registered Investment Advisers (“RIA”) and Broker-Dealers (“BDs”) (collectively “Registrants” or “Firms”) about the risks posed by credential stuffing.1
What is Credential Stuffing?
Credential Stuffing is an automated cyberattack. The OCIE notes that accounts that use both web-based user accounts and direct network connections are susceptible to this line of attack. This hacking technique involves two distinct steps: (i) the hacker, utilizing the “dark web,”2 obtains clients’ login information (e.g. usernames, email addresses, and passwords); and, (ii) the attacker then deploys automated scripts3 to use the login information to gain access to clients’ accounts.
When successful, credential stuffing can allow hackers to use access to the Firms’ IT systems to (i) steal customer assets; (ii) access confidential customer information; and, (iii) sell login information to other criminals on the dark web.
What can Registrants do to thwart credential stuffing?
OCIE has observed several things that Registrants have done to protect their clients’ account information.
Policies and Procedures
OCIE has noted that firms have performed a periodic review of policies and procedures with an emphasis on password security. OCIE found that:
“Successful attacks occur more often when (1) individuals use the same password or minor variations of the same password for various online accounts, and/or (2) individuals use login usernames that are easily guessed, such as email addresses or full names.4”
As such, policies and procedures should incorporate a recognized industry standard for passwords security. OCIE references password standards articulated by the National Institute of Standards and Technology (“NIST”).5
Multi-Factor Authentication (“MFA”)
MFA adds a step (or more) to the login procedure, after entry of the password SMS text messages are often used as the second authenticator. OCIE has stated that “MFA can offer one of the best defenses to password-related attacks and significantly decrease the risk of an account takeover.”6 MFA does not, however, prevent hackers from identifying which accounts are valid users, even if they are thwarted from logging into the customers’ accounts. These identified accounts may be targets for future mischief as the hackers may redouble their efforts to break through the MFA.
Completely Automated Public Turing test to tell Computers and Humans Apart (“CAPTCHA”)
As the name implies, CAPTCHA can prevent access by automated computer generated. It does this by requiring users to confirm that they are not running automated scripts by requiring some human action, like identifying specific objects within a picture grid.
Controls to Detect and Prevent
OCIE observed that some firms used controls that can detect and prevent credential stuffing. These include (i) monitoring for higher than usual login attempts or failed logins; (ii) use of a Web Application Firewall (“WAF”); and, (iii) mitigation controls that prevent damage if an account is breached such as limiting online access to fund transfer or personal identifiable information (“PII”).
Monitoring the Dark Web
As unsavory as it may seem, the OCIE noted that Firms are monitoring the dark web to see if there are any relevant leaked user identifications, passwords, or if Firm customers are vulnerable to credential stuffing.
Other Considerations in Preparing for Credential Stuffing Attacks
OCIE encourages Registrants to review their current practices and evaluate whether there are any shortcomings. Also, OCIE encourages Firms to (i) ensure that its customers and employees create unique passwords that are not used on other sites; (ii) ensure that passwords are changed frequently; and, (iii) be mindful of the limitations on MFS.7
As with many challenges faced by Registrants, credential stuffing is largely a compliance issue that can be addressed through a thorough review, implementation, and enforcement of adequate policies and procedures. Moreover, Firms should ensure that they are implementing the practices that OCIE highlighted (e.g. MFA, CAPTCHA, etc.). Firms must also be mindful of the dangers that hacking can present. To paraphrase Thomas Jefferson, the price of freedom from cyberattacks is eternal vigilance.
With over 275 years of cumulative financial services compliance expertise, Alaric has managed over 100 regulatory examinations while serving as chief compliance officer. Leveraging this experience, our team of former regulators, lawyers, and in-house chief compliance officers can help your firm keep your compliance program healthy.
Call Alaric today to learn more about our cybersecurity services, at 1-888-243-2448 or firstname.lastname@example.org or visit our website, at www.alariccompliance.com.
1 Office of Compliance Inspections and Examinations, Cybersecurity: Safeguarding Client Accounts against Credential Compromise (September 15, 2020), https://www.sec.gov/files/Risk%20Alert%20-%20Credential%20Compromise.pdf (“Risk Alert”).
2 The dark web is a collection of anonymous websites, notable for black market sales, child pornography and other unsavory behavior. See, e.g. Greenberg, Andy (November 19, 2014), Hacker Lexicon: What Is the dark web? https://www.wired.com/2014/11/hacker-lexicon-whats-dark-web/
3 Automated scripts are a list of commands that can allow a hacker to search for publicly available information to garner account names and then automatically breach accounts using stolen or obvious passwords. See, e.g. Palmer, Danny (March 25, 2020) Cybersecurity warning: 10 ways hackers are using automation to boost their attacks, https://www.zdnet.com/article/cybersecurity-warning-10-ways-hackers-are-using-automation-to-boost-their-attacks/
4 Risk Alert at p. 2.
5 See e.g., NIST Information Technology Laboratory- Computer Security Resources Center, SP 800-63-3 Digital Identity Guidelines, available at https://csrc.nist.gov/publications/detail/sp/800-63/3/final
6 Risk Alert at p. 2.
7 “Some firms highlight for account owners and staff that they should be alert to instances where their mobile devices no longer work, as someone may have attempted fraudulently to transfer their phone number to another device.” Risk Alert at p. 4.