Close Close
Sign In
Newsletters
Popular Financial Topics Discover relevant content from across the suite of ALM legal publications From the Industry More content from ThinkAdvisor and select sponsors Investment Advisor Issue Gallery Read digital editions of Investment Advisor Magazine Tax Facts Get clear, current, and reliable answers to pressing tax questions
Luminaries Awards
Podcast Center Video Center Webcasts Resource Center Events
About ThinkAdvisor Contact Us Advertise With Us Asset & Logo Licensing Sitemap Terms of Service Privacy Policy Copyright © 2024 ALM Global, LLC. All Rights Reserved.
ThinkAdvisor

Regulation and Compliance > State Regulation

SEC Warns of Rise in 'Credential Stuffing' Cyberattacks

By Melanie Waddell

X
Your article was successfully shared with the contacts you provided.

The Securities and Exchange Commission’s exam division is warning about an increase in cyberattacks against advisors and broker-dealers. These involve “credential stuffing,” in which bad actors target client accounts via compromised client login credentials and can result in loss of customer assets and unauthorized disclosure of personal information.

The agency’s Office of Compliance Inspections and Examinations has observed the credential stuffing in recent exams.

Cyber attackers, the OCIE Risk Alert states, obtain lists of usernames, email addresses and corresponding passwords from the dark web.

Then they use automated scripts to try the compromised user names and passwords on other websites, such as a registrant’s website, in an attempt to log in and gain unauthorized access to customer accounts.

“Credential stuffing is emerging as a more effective way for attackers to gain unauthorized access to customer accounts and/or firm systems than traditional brute force password attacks,” the alert states.

The alert urges advisors and BDs to periodically review policies and programs with specific focus on updating password policies to incorporate a recognized password standard requiring strength, length, type, and change of passwords practices that are consistent with industry standards.

Firms should also employ multi-factor authentication, which uses multiple “verification methods” to authenticate the person seeking to log in to an account.

Monitoring the Dark Web for lists of leaked user IDs and passwords, and performance of tests to evaluate whether current user accounts are susceptible to credential stuffing attack, should also be performed, OCIE states.

Related on ThinkAdvisor:

Melanie Waddell

@Think_MelanieW

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.