SEC Looks to Tamp Down Credential Stuffing
The SEC's compliance arm is encouraging banks and financial institutions to remain vigilant in the face of an uptick in credential stuffing attacks.
Credential stuffing campaigns - essentially brute force attacks, involving automated attempts to login to accounts with passwords from previous data breaches – are nothing new but continue to be a problem for some industries.
The financial industry in particular had dealt with a rash of cyberattacks leveraging the technique of late, enough for the United States Securities and Exchange Commission to issue a warning outlining the dangers of credential stuffing last week.
The warning, something the SEC’s Office of Compliance Inspections and Examinations (OCIE) calls a “Risk Alert,” claims it has observed an increase in cyberattacks targeting SEC-registered investment advisers, brokers and dealers. The OCIE says the attacks that its seen have been successful and actually resulted in the loss of customer assets and unauthorized access to customer information.
The fact that banks and other financial institutions usually have the names of employees on their websites could put them at risk. Attackers need to obtain a name, which sometimes can be half of what's needed to initiate a transaction or transfer funds from a compromised customer's account via an internet-facing website.
When users have the same password or a similar password for their banking account as another online account, and when individuals use an easily guessable username, like their email address or their full name, it makes it that much easier for attackers.
OCIE is advising firms to do a few things, like review and update their Regulation S-P and Regulation S-ID policies and programs. Regulation S-P asks firms to have written policies and procedures on the books around how customer records and information are protected. Regulation S-ID is a set of requirements firms need to follow around preventing identity theft.
OCIE also says firms should make sure customers and staff are aware of the dangers of reusing passwords from other sites; if multi-factor authentication is present, that account owners are aware that it's not a failsafe. Some attackers, via a SIM swap attack, can transfer phone numbers to another device, making MFA difficult.
While OCIE didn't outright endorse the following measures, it did say that several firms have implemented them to better protect their clients' accounts:
- Periodically checking policies and programs as they relate to passwords, deploying a recognized password standard - length, type, and the frequency in which passwords are changed.
- Using MFA; the more factors employed, the more robust the authentication system.
- CAPTCHA to prevent scripts or bots from carrying out credential stuffing attacks.
- Deploy controls to detect and prevent attacks. Look for an unusual uptick in login attempts. Use data gathered to form a fingerprint for incoming sessions.
- Use a Web Application Firewall that can detect and stop credential stuffing attacks
- Monitor the dark web for leaked user IDs and passwords
OCIE makes a point to highlight that there's a glut of risk associated with failing to address mitigating attacks like these; firms can open themselves up to financial, regulatory, legal, and reputational scrutiny.
On the whole, OCIE's recommendations are just that. OCIE reiterates in the guidance that its Risk Alert documents aren't rules, regulations or even statements attributed to the SEC. The document puts the onus on the firms themselves to evaluate the safeguards they have in place and decide whether updates are needed. Still, it's impossible to ignore that failing to implement one if not more of these measures, could open firms up to attack.