SEC Risk Alert Identifies ‘Credential Stuffing’ Hacking Technique

‘Credential stuffing’ is a method of cyberattack to client accounts that uses compromised client login credentials, resulting in the possible loss of customer assets and unauthorized disclosure of sensitive personal information.

The U.S. Securities and Exchange Commission (SEC) has published a new Risk Alert, highlighting the hacking technique known as “credential stuffing.”

As explained by the SEC, credential stuffing is an evolving cyberattack method that uses compromised client login credentials, resulting in the possible loss of customer assets and unauthorized disclosure of sensitive personal information. The SEC’s Office of Compliance Inspections and Examinations (OCIE) has observed in recent examinations an increase in the number of cyberattacks against SEC-registered investment advisers and brokers/dealers using various forms of credential stuffing.

“Credential stuffing is an automated attack on web-based user accounts as well as direct network login account credentials,” the SEC says. “Attackers obtain lists of usernames, email addresses, and corresponding passwords from the ‘dark web’ and then use automated scripts to try the compromised user names and passwords on other websites, such as a registrant’s website, in an attempt to log in and gain unauthorized access to customer accounts.”

The SEC warns that, as hackers become more and more sophisticated, credential stuffing is emerging as a highly effective way for attackers to gain unauthorized access to customer accounts and/or firm systems than traditional brute force password attacks.

“When a credential stuffing attack is successful, bad actors can use the access to the customer accounts to gain access to firms’ systems, where they are able to steal assets from customer accounts, access confidential customer information, obtain login credential/website information that they can sell to other bad actors on the dark web, gain access to network and system resources, or monitor and/or take over a customer’s or staff member’s account for other purposes,” the SEC warns.

The SEC says successful attacks of this nature occur more often when individuals use the same password or minor variations of the same password for various online accounts, or when individuals use login usernames that are easily guessed, such as email addresses or full names.

The Risk Alert covers a number of strategies that firms have put in place to attempt to stymie these types of attacks, including the use of multi-factor authentication, which requires multiple verification methods to authenticate the person seeking to log in to an account. The strength of authentication systems is largely determined by the number and type of factors, the SEC says.

The SEC also points to certain often-overlooked shortcomings of multi-factor authentication. For example, even when properly implemented, this security strategy cannot necessarily prevent bad actors from identifying which accounts are valid user accounts on the targeted website. Identified accounts may in turn become the targets of future attacks, and information concerning the existence and validity of the accounts may be sold to other bad actors, who may attempt to pass the final verification step through other means, such as phishing emails, online research of targeted individuals and social engineering.

«