OCIE has released a risk alert regarding credential stuffing in the context of compliance with Regulation S-P and Regulation S-ID, and is encouraging firms to both (i) review and update their policies and procedures to address the risks associated with credential stuffing and (ii) consider proactive outreach to customers regarding measures taken to safeguard their accounts and personally identifiable information. The alert specifically warns of the regulatory, legal, financial, and reputational risks associated with successful credential stuffing attacks, as well as the risks to investors.
To mitigate the risk of credential stuffing attacks, the alert highlights certain measures and controls to protect internet-facing systems, which are benchmarked against NIST 800-63-3, Digital Identity Guidelines. These include:
- The efficacy of strong passwords, as reflected in stated policies and procedures, that are implemented according to a recognized password standard, with criteria for password strength, length, type, and cadence for changes.
- The use of multi-factor authentication to prevent fraudulent logins. The alert notes that although MFA is not effective in preventing threat actors from identifying which user accounts may be valid, using more than two factors to authenticate offers increasing protection.
- The use of CAPTCHA to thwart bots or automated scripts used in credential stuffing attacks.
- Enhanced monitoring, such as baselining and alerting on anomalous login activity.
- Use of Web Application Firewalls (WAFs) to detect and limit potential attacks.
- Penetration testing to gauge whether user accounts are susceptible to credential stuffing attacks.
- Dark web monitoring to assess whether user credentials are available on the dark web.
- Additional efforts to educate customers regarding this risk and to encourage their use of unique, strong passwords that are not used to access other sites or online accounts.
This alert is very much in line with recent OCIE risk alerts that are increasingly specific and can be read as checklist for Legal, Compliance, and Information Security personnel to compare against a firm’s stated policies and procedures and actual practices to assure a firm’s approach and practices to securing customer accounts are aligned with OCIE’s view of Regulation S-P and Regulation S-ID compliance.