Yesterday The Office and Compliance Inspections and Examinations (“OCIE”) issued an alert about safeguarding client accounts against credential compromise that highlighted the issue of “credential stuffing attacks“. Credential stuffing is a type of cyber attack where many compromised user credentials are tried against systems to gain unauthorized access, using automated means.

Over the past few months we’ve seen a Ransomware Alert, TCW Funds, INC (“TCW”) affected by a cyber breach, our founder Anand Mohabir commenting on a Regulatory Compliance Watch article about incidents affecting various firms, including a firm we recently worked with, and this recent alert. The SEC has been busy.

In this article the OCIE stresses that credential stuffing attacks have led to successful compromises affecting registered advisers and broker dealers. Bad actors are gaining access to client accounts to initiate transactions, transfer funds, and access personal information through systems hosted by firms, or their third-party vendors. The OCIE highlighted a number of ways firms are currently attempting to protect against credential stuffing attacks:

  1. Policies and Procedures – policies that define password practices and identity access management
  2. Multi-Factor Authentication – requiring users to validate their identity by providing a password and typically a one-time password
  3. CAPTCHA – prevents automated scripts and confirm that a Human is attempting to authenticate
  4. Controls to Detect and Prevent – these can vary but in simple terms, having good visibility of who is attempting to authenticate, when they are trying to do so, and where from
  5. Monitoring the Dark Web – find compromised credentials and act before someone attempts to use them.

The OCIE wants to remind you to remain vigilant, and to ensure you are taking the appropriate steps to safeguard your environment and client accounts. We also encourage you to do the same. We stress the importance of developing a program and making sure it works. We have intimate knowledge of this exact attack because we have helped clients deal with the situations described above. If you want to ensure you have a rock-solid cybersecurity program reach out and ask us how we can help you validate this.

As for the methods described above, we wanted to provide additional context, commentary, and advice.

  1. Policies and Procedures – these only work if they are being followed. In our experience most end users are not aware of the actual policies. We encourage firms to train their employees about their policies. This requires tailored training but can be very impactful if done correctly.
  2. Multi-Factor Authentication – this is certain a great method against password-based attacks but that does not mean it is perfect. We often seen that users have a quick trigger finger and will confirm two factor authentication requests when using push-based services. While this is convenient, it is also dangerous. You should train your users to look out for unexpected two-factor authentication requests. Optionally you can switch from push-based services to text messages and or one-time passcodes (OTP)
  3. CAPTCHA – while they will most likely protect against credential stuffing attacks, they will not protect against a Human that is attempting to reuse credentials to gain unauthorized access. This type of control is mostly useful for those firms that have their own platform that clients are logging in to. If you are relying on a third-party, you are at their mercy.
  4. Controls to Detect and Prevent – This is very broad because there are so many ways to implement this. It can include firewalls, endpoint detection, file and folder monitoring, web filtering, intrusion detection and prevention, vulnerability management, patching, SIEMs, etc. There is no one size fits all approach. Adopting a layered model is the best way to tackle this
  5. Monitoring the Dark Web – while this may sound fun and exciting, it is no easy feat. The dark web does not work like the regular internet. You need a special browser to access it. There is no Google-equivalent search engine that can help you find what you are looking for, you need to know what you are looking for. For many of the sites on the dark web, you have to be invited by another member to join them. So, as you can see, it is not that easy. Many firms tout monitoring the dark web, but what they are actually doing is getting the same copy of data from general internet sources. It takes lots of resources to “monitor” the dark web.