“Credential Stuffing” is a relatively simple attack method used by criminals to take advantage of individuals who use the same (or similar) passwords for all their many online login sites. By possessing the password from one site, criminals can employ automated processes to test millions of sites worldwide. And if you use the same password and they test one of those sites, your account may be compromised.

The OCIE Risk Alert issued by the SEC on September 15, 2020 stated that the frequency and success of these credential stuffing attacks of SEC registrants are increasing and the impact has been felt among service providers to registrants as well. Consequently, the OCIE recommends that registrants take active steps to address this concern such as reviewing and updating Regulation S-P and Regulation S-ID policies and programs and evaluating whether the firm’s customers and personnel are aware of how to better secure accounts. They also listed other practices to protect client accounts they had observed during exams:

Policies & Procedures

    • Review policies and programs, focusing on updating password policies to include password requirements that are consistent with industry standards (e.g., strength, length, type, frequency of change, etc.).

Multi-Factor Authentication (MFA)

    • Use MFA, in which multiple methods of authentication are used during logins (e.g., codes generated by smartphone apps, codes sent by email, device tokens, fingerprints, facial recognition, etc.).
    • Be aware that, though MFA significantly reduces the risks of account takeover, it does not prevent bad actors from identifying which accounts are valid on a site; thus protection against phishing and other social engineering attempts are still needed even when MFA is in use.
    • Be aware that smartphone app use in MFA may not be effective if mobile phones have been compromised, with bad actors potentially gaining access to accounts and phone numbers fraudulently transferred to other devices.

Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA)

    • To combat automated scripts or bots used in such attacks, deployment of CAPTCHA, which requires users to identify pictures to confirm they are not running automated scripts or similar processes that are not human-based.

Controls to Detect and Prevent “Credential Stuffing”

    • Collect “fingerprints” for suspicious login attempts, including operating system, browser, time zone, etc., and prevent likely automated logins from the same source.
    • Monitor for excessive login attempts or failed logins.
    • Use a web application firewall (WAF) that can detect and protect against automated attacks.
    • Offering or enabling additional controls that can prevent damage in the event an account is taken over such as limited access to fund transfers and Personally Identifiable Information (PII).
    • Monitoring the Dark Web for lists of leaked user IDs and passwords, and performance of tests to evaluate whether current user accounts are susceptible to credential stuffing attacks.

The OCIE further reminds registrants that cybersecurity remains an area of continuing regulatory focus and will likely continue to be a key examination priority in the future.

Contact our team to learn more.