log in
All Articles | Back

Member Articles


OCIE RISK ALERT—Cybersecurity: Safeguarding Client Accounts against Credential Compromise 

by Kevin S. Woodard

Published: October, 2020

Submission: October, 2020

 



OCIE’s most recent Risk Alert, published Sept. 15, 2020, address another cybersecurity issue, this time highlighting the dangers of “credential stuffing.” Credential stuffing is a method of cyberattack that uses compromised client login credentials and can lead to loss of customer assets and the disclosure of confidential or other personal information. Hackers will obtain groups or lists of usernames, email addresses, and their passwords from sellers on the dark web. They then attempt to use these compromised usernames and passwords from the original site to gain access to other websites. If successful, this process can enable bad actors to access a firm’s customer accounts. If undetected, these attacks can eventually allow hackers to gain access to firms’ systems and steal assets from customer accounts, access confidential information as well as additional login credentials/website information which can be resold to others on the dark web.


According to OCIE, there has been a recent increase in the prevalence of such attacks. OCIE is urging firms to take proactive steps to mitigate the risks of credential stuffing. OCIE has identified two of the largest online behaviors that lead to successful attacks, which are (1) individuals using the same password or minor variations of the same password for various online accounts, and/or (2) individuals using login names that are easily guessed, such as email addresses or full names.


As stated above, firms should be proactive in their efforts to combat credential stuffing. Some of the methods referenced by OCIE for consideration by firms include:


  • Periodic review and updating of password policies or requiring a minimum password strength;
  • Multi-factor authentication;
  • Using systems that require a user to perform an action to prove they are human, like clicking on each picture of a car;
  • Monitoring for higher-than-usual login attempts;
  • Informing and educating clients on the importance of password construction, maintenance and protection; and
  • Ensuring that if employee mobile phones are no longer operative, or if a number is transferred, that multi-factor authentication no longer utilizes these mobile phones.

 



Link to article

 

MEMBER COMMENTS

 

 

WSG Member: Please login to add your comment.

    Disclaimer

WSG's members are independent firms and are not affiliated in the joint practice of professional services. Each member exercises its own individual judgments on all client matters.

HOME | SITE MAP | GLANCE | PRIVACY POLICY | DISCLAIMER |  © World Services Group, 2021