The United States Security and Exchange Commission issued an advisory this week warning about an increase in the number of credential stuffing attacks against SEC-registered investment advisers, brokers and dealers. The advisory should also serve as a warning to retail merchants about the dangers of credential stuffing attacks.
Credential stuffing attacks—or account takeover (ATO) attacks—occur when hackers use stolen information, including stolen usernames and passwords, to gain unauthorized online account access.
“OCIE encourages firms to review their customer account protection safeguards and identity theft prevention programs and consider whether updates to such programs or policies are warranted to address emergent risks”
The advisory cautions that Office of Compliance Inspections and Examinations (OCIE) staff has observed an increase in the frequency of credential stuffing attacks and some have resulted in loss of customer assets and unauthorized access to customer information. The office advises the use of Multi-Factor Authentication (MFA), Completely Automated Public Turing test to tell Computers and Humans Apart (“CAPTCHA”), monitoring spiked login and failed login attempts and use of a Web Application Firewall (WAF) as well as behavioral detection technology to mitigate these kinds of attacks.
“Financial institutions should remain vigilant and proactively address emergent cyber risks,” the advisory stated. “OCIE encourages firms to review their customer account protection safeguards and identity theft prevention programs and consider whether updates to such programs or policies are warranted to address emergent risks. In addition, firms are encouraged to consider outreach to their customers to inform them of actions they may take to protect their financial accounts and personally identifiable information.”