Risk of Credential Stuffing Attacks on Financial Institutions is Growing
On September 15th, the SEC issued an advisory citing an increase in the number of credential stuffing cyber-attacks against SEC-registered investment advisers, brokers and dealers. The advisory states that the Office of Compliance Inspections and Examinations (OCIE) staff has observed an increase in the frequency of credential stuffing attacks, some of which have resulted in the loss of customer assets and unauthorized access to customer information. It reminds SEC registered organizations that they must proactively work to mitigate the risks of these attacks which range from financial, regulatory, legal and reputational, as well as risk to their investor customers. The advisory calls out Multi-Factor Authentication (MFA), Completely Automated Public Turing test to tell Computers and Humans Apart (“CAPTCHA”), monitoring spiked login and failed login attempts and use of a Web Application Firewall (WAF) as well as behavioral detection approaches. The advisory further urges financial institutions to remain vigilant in the face of growing cyberthreats. MFA, CAPTCHA and WAF are valuable components in a layered approach. However, we believe that using behavioral detection and machine learning are critical components that build on the other methods cited and are required to efficiently guard against credential stuffing attacks.
What is credential stuffing?
In a credential stuffing attack, criminals attempt to take unauthorized ownership of online accounts using stolen usernames and passwords. Attackers typically buy a list of these credentials on the dark web and launch an army of bots across sites to test them. In the end, they get a list of validated credentials they can profit from by abusing the account or by selling the validated credentials to others. Note the credential stuffing attacks are also often referred to as Account Takeover (ATO) attacks.
How does this impact investment advisors, brokers and dealers?
Brokerages and investment advisors manage trillions of dollars of assets including retirement funds and household savings in the form of digitized securities. These securities are primarily accessed online or through mobile apps, often secured with a simple password. A successful credential stuffing attack can give criminals access to a brokerage account from where they can fraudulently initiate sell orders and wire transfers resulting in the loss of customer assets. Such attacks can not only wipe out entire individual investment accounts, but can also cause irreparable damage to the brokerage’s brand reputation.
What is MFA? Is it enough?
Multi-factor authentication (MFA) is an approach to verifying security that requires multiple credentials. This may be a code that is sent to a mobile phone or email account that must be entered into a site after username and password in order to gain access to an account. While it is highly recommended and extremely helpful to protect enterprise users, most consumer-oriented vendors do not force MFA because they want to streamline the user experience. As a result, many brokerage accounts remain exposed to credential stuffing attacks. If you use a service that supports MFA, we encourage you to enable MFA on your account for extra security.
What is CAPTCHA? How can it be circumvented?
One of the most common ways to battle bad bots has been to use CAPTCHAs, a challenge-response mechanism that promised an easy way to distinguish between a bot and a human. Used in millions of sites, CAPTCHA is employed to help prevent bots from doing form submissions, executing logins and accessing sensitive pages or processes. In its early days, CAPTCHA required users to read distorted text and submit it in a form. Today, Google reCAPTCHA represents the dominant form of CAPTCHA technology in use. It relies on the identification of specific objects among a series of pictures in order for a user to move forward on a site. There are two very fundamental challenges with CAPTCHAS: They disrupt the user experience on a website or web application and they are decreasing in efficacy. Moreover, bots are getting better at bypassing CAPTCHA challenges, some with a 90% success rate. And, there are a number of CAPTCHA-solving technologies and services available to attackers today. Attackers choose the solvers that work best against the type of CAPTCHA used on a target site.
Can a WAF stop credential stuffing?
While WAFs help with the top-ten OWASP risks, they’re not as effective in detecting ATO attacks. That’s because ATO attacks abuse business logic rather than protocols and do not trigger alerts. Oftentimes, they can be highly distributed, low and slow attacks that are completely invisible to WAFs, which can neither detect nor mitigate them.
Controls to detect and prevent credential compromise
The SEC advisory recommends additional controls that financial services firms can implement to detect and prevent credential stuffing attacks. From the recent SEC advisory: “Implementation of controls to detect and prevent credential stuffing attacks. This can include monitoring for a higher-than-usual number of login attempts over a given time period, or a higher-than-usual number of failed logins over a given time period.”
“Firms then use tools to collect information about user devices and create a “fingerprint” for each incoming session. The fingerprint is a combination of parameters such as operating system, language, browser, time zone, user agent, etc. For example, if the same combination of parameters logged in several times in rapid sequence, it is more likely to be a brute force or credential stuffing attack.”
This is exactly the approach taken by PerimeterX Bot Defender to protect web and mobile apps against credential stuffing and account takeover (ATO) attacks. Bot Defender is a cloud-native solution that uses advanced machine learning techniques, predictive models and security research to block a wide range of automated attacks, while preserving page load performance and user experience. Additionally, Bot Defender goes far beyond the "declarative" identifiers that the SEC specifies as part of fingerprinting. Bot Defender adds data to make highly accurate detection possible, including code that collects indicators from challenges beyond CAPTCHA, as well as device and user data that can only be collected from the client side. This includes screen resolution, rendering engine, user-interaction events, battery and sensor data.
Stop credential compromise with Bot Defender
Named a leader in Bot Management by Forrester, Bot Defender delivers unparalleled bot detection accuracy, integrates with any existing infrastructure, scales on demand and is bundled with always available security operations service. Using Bot Defender in conjunction with good security hygiene will ensure your investment firm or brokerage will protect customer assets and preserve your brand reputation. To learn more, request a demo of the Bot Defender solution today.