Member Article

OCIE’s most recent Risk Alert, published Sept. 15, 2020, address another cybersecurity issue, this time highlighting the dangers of “credential stuffing.” Credential stuffing is a method of cyberattack that uses compromised client login credentials and can lead to loss of customer assets and the disclosure of confidential or other personal information. Hackers will obtain groups or lists of usernames, email addresses, and their passwords from sellers on the dark web. They then attempt to use these compromised usernames and passwords from the original site to gain access to other websites. If successful, this process can enable bad actors to access a firm’s customer accounts. If undetected, these attacks can eventually allow hackers to gain access to firms’ systems and steal assets from customer accounts, access confidential information as well as additional login credentials/website information which can be resold to others on the dark web.

According to OCIE, there has been a recent increase in the prevalence of such attacks. OCIE is urging firms to take proactive steps to mitigate the risks of credential stuffing. OCIE has identified two of the largest online behaviors that lead to successful attacks, which are (1) individuals using the same password or minor variations of the same password for various online accounts, and/or (2) individuals using login names that are easily guessed, such as email addresses or full names.

As stated above, firms should be proactive in their efforts to combat credential stuffing. Some of the methods referenced by OCIE for consideration by firms include:

• Periodic review and updating of password policies or requiring a minimum password strength;
• Multi-factor authentication;
• Using systems that require a user to perform an action to prove they are human, like clicking on each picture of a car;
• Monitoring for higher-than-usual login attempts;
• Informing and educating clients on the importance of password construction, maintenance and protection; and
• Ensuring that if employee mobile phones are no longer operative, or if a number is transferred, that multi-factor authentication no longer utilizes these mobile phones.