SEC warns of rise in 'credential stuffing' cyberattacks

Client login credentials that are compromised can result in loss of customer assets and unauthorized disclosure of personal information.

The SEC alert urges advisors and BDs to periodically review policies and programs with a specific focus on updating password policies to incorporate a recognized password standard. (Photo: Shutterstock)

The Securities and Exchange Commission’s (SEC) exam division is warning about an increase in cyberattacks against advisors and broker-dealers. These involve “credential stuffing,” in which bad actors target client accounts via compromised client login credentials and can result in loss of customer assets and unauthorized disclosure of personal information.

The agency’s Office of Compliance Inspections and Examinations has observed the credential stuffing in recent exams.

Cyber attackers, the OCIE Risk Alert states, obtain lists of usernames, email addresses and corresponding passwords from the dark web.

Then they use automated scripts to try the compromised user names and passwords on other websites, such as a registrant’s website, in an attempt to log in and gain unauthorized access to customer accounts.

“Credential stuffing is emerging as a more effective way for attackers to gain unauthorized access to customer accounts and/or firm systems than traditional brute force password attacks,” the alert states.

The alert urges advisors and BDs to periodically review policies and programs with specific focus on updating password policies to incorporate a recognized password standard requiring strength, length, type, and change of passwords practices that are consistent with industry standards.

Firms should also employ multi-factor authentication, which uses multiple “verification methods” to authenticate the person seeking to log in to an account.

Monitoring the Dark Web for lists of leaked user IDs and passwords, and performance of tests to evaluate whether current user accounts are susceptible to credential stuffing attack, should also be performed, OCIE states.

Related: