SEC OCIE Warns of Increased Risk of Credential Stuffing

September 17, 2020 by ACA Aponix

On September 15, the U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a risk alert (PDF) warning of an increase in the use of the “credential stuffing” tactic in attacks against SEC registrants, including broker-dealers, investment advisers, and investment companies. Credential stuffing involves the use of automated attacks, in which bad actors obtain lists of usernames, email addresses, and passwords from illicit and other sources, and use automated scripts to try to log in and gain unauthorized access to accounts.

This tactic takes advantage of user habits of using the same or similar credentials for different sites, as well as easily guessed login usernames, such as email addresses or full names. With login information from one site and automated credential stuffing scripts, criminals have been increasingly able to gain access to other customer accounts.

Once access has been gained, bad actors can steal assets from customer accounts, gain access to personally identifiable information (PII), infiltrate network and system resources, take over customer or staff accounts, sell credentials on the dark web, and more. Credential stuffing can significantly increase financial, regulatory, legal, and reputational risk to firms.

The frequency and success of these credential stuffing attacks of SEC registrants is increasing and the impact has been felt among service providers to registrants as well. OCIE recommends that registrants take active steps to address this concern such as reviewing and updating Regulation S-P and Regulation S-ID policies and programs and evaluating whether the firm’s customers and personnel are aware of how to better secure accounts. They also listed other practices to protect client accounts they had observed during exams:

  • Policies and procedures
    • Review policies and programs, focusing on updating password policies to include password requirements that are consistent with industry standards (e.g., strength, length, type, frequency of change, etc.).
  • Multi-Factor Authentication (MFA)
    • Use MFA, in which multiple methods of authentication are used during logins (e.g., codes generated by smartphone apps, codes sent by email, device tokens, fingerprints, facial recognition, etc.).
    • Be aware that, though MFA significantly reduces the risks of account takeover, it does not prevent bad actors from identifying which accounts are valid on a site; thus protection against phishing and other social engineering attempts are still needed even when MFA is in use.
    • Be aware that smartphone app use in MFA may not be effective if mobile phones have been compromised, with bad actors potentially gaining access to accounts and phone numbers fraudulently transferred to other devices.
  • Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA)
    • Use CAPTCHA, in which users must take actions to prove they are human during a login attempt (e.g., identify objects in a grid, answer a math problem, identify words against a background of noise, etc.)
  • Detection and prevention controls
    • Implement controls to detect and prevent credential stuffing attacks.
    • Monitor for excessive login attempts or failed logins over a specified period.
    • Collect “fingerprints” for suspicious login attempts, including operating system, browser, time zone, etc., and prevent likely automated logins from the same source.
    • Use a web application firewall (WAF) that can detect and protect against automated attacks.
    • Prevent damage in the event of an account takeover by limiting online access to fund transfers and PII.
    • Monitor the dark web for lists of illicitly obtained user credentials, and, if detected, enforce changes to user login information.

The risk alert further reminds registrants that cybersecurity remains an area of continuing OCIE focus and will likely continue to be a key examination priority in the future

ACA Guidance

ACA Aponix recommends that SEC registrants take heed of the OCIE alert, both as an indicator of future examination priority, and as a strong set of guidelines toward preventing credential stuffing and similar automated cyberattacks in general.

While credential stuffing is not a new technique – in fact, reconnaissance, enumeration, and password reuse are techniques long in use not only by criminals but also by penetration testing teams – the increase in these automated attempts (and the increase in their success) is cause for SEC concern.

As per the alert, firms should maintain a strong focus on enforcing strong methods toward detection and prevention of illegal access to user credentials gained via the use of automated credential stuffing techniques. SEC registrants should review and enhance password policies, and likewise educate staff and customers of the need for complex credentials that are changed from site to site. Firms should use MFA and CAPTCHA techniques to enhance protection. Firms should likewise use tools such as web application firewalls to detect and prevent these illegal activities and protect firm and customer assets.

Additionally, firms would be well-advised to validate credential stuffing control mechanisms via qualified penetration testing efforts. Even a well-designed system could have something that was overlooked, and quality penetration testing (beyond a simple scan masked as a pen-test) will likely find unknown entry points.

How We Help

ACA Aponix offers the following solutions that can help your firm meet SEC regulatory requirements related to cybersecurity, and enhance cybersecurity in general:.

Contact Us

If you have any questions, please contact your ACA Aponix consultant or email us at