Latest SEC Alert Highlights Need for a New Approach to Credential Stuffing

U.S. Securities and Exchange Commission

Risk of Credential Stuffing Attacks on Financial Institutions is Growing

On September 15th, the SEC issued an advisory citing an increase in the number of credential stuffing cyber-attacks against SEC-registered investment advisers, brokers and dealers. The advisory states that the Office of Compliance Inspections and Examinations (OCIE) staff has observed an increase in the frequency of credential stuffing attacks, some of which have resulted in the loss of customer assets and unauthorized access to customer information. It reminds SEC registered organizations that they must proactively work to mitigate the risks of these attacks which range from financial, regulatory, legal and reputational, as well as risk to their investor customers. The advisory calls out Multi-Factor Authentication (MFA), Completely Automated Public Turing test to tell Computers and Humans Apart (“CAPTCHA”), monitoring spiked login and failed login attempts and use of a Web Application Firewall (WAF) as well as behavioral detection approaches. The advisory further urges financial institutions to remain vigilant in the face of growing cyberthreats. MFA, CAPTCHA and WAF are valuable components in a layered approach. However, we believe that using behavioral detection and machine learning are critical components that build on the other methods cited and are required to efficiently guard against credential stuffing attacks.

What is credential stuffing?

In a credential stuffing attack, criminals attempt to take unauthorized ownership of online accounts using stolen usernames and passwords. Attackers typically buy a list of these credentials on the dark web and launch an army of bots across sites to test them. In the end, they get a list of validated credentials they can profit from by abusing the account or by selling the validated credentials to others. Note the credential stuffing attacks are also often referred to as Account Takeover (ATO) attacks.

How does this impact investment advisors, brokers and (Read more...)

*** This is a Security Bloggers Network syndicated blog from PerimeterX Blog authored by PerimeterX Blog. Read the original post at: