FINRA has received an increasing number of reports regarding ATO incidents, which involve bad actors using compromised customer information, such as login credentials, to gain unauthorized entry to customers’ online brokerage accounts. As such, the self-regulatory authority has released a Regulatory Notice aimed at protecting customers from online account takeover attempts.
The Notice outlines the recent increase in ATO incidents; reiterates firms’ regulatory obligations to protect customer information; and discusses common challenges firms identified in safeguarding customer accounts against ATO attacks, as well as practices they find effective in mitigating risks from ATOs—including recent innovations—which firms may consider for their cybersecurity programs.
Customer ATOs have been a recurring issue but reports to FINRA about such attacks have increased as more firms offer online accounts, and more investors conduct transactions in these accounts, in part due to the proliferation of mobile devices and applications (i.e., “apps”) and the reduced accessibility of firm’s physical locations due to the COVID-19 pandemic.
FINRA reminds member firms of their obligations to protect sensitive customer data, as well as verify the identity and know the essential facts concerning every customer. In place regulations include: FINRA Rule 2090 (Know Your Customer), SEC Regulation S-P, Rule 30, SEC Regulation S-ID and Customer Identification Program (CIP).
Below are some examples of ways firms can work to better protect customer accounts:
Verifying Customers’ Identities When Establishing Online Accounts
Firms that onboard customers online should verify potential customers’ identities by:
- validating identifying information or documents that applicants provide (e.g., Social Security number (SSN), address, driver’s license), including, for example, through “likeness checks”; and
- asking applicants follow-up questions or requesting additional documents to validate their identities, based on information from credit bureaus, credit reporting agencies or firms providing digital identity intelligence (e.g., automobile and home purchases).
Authenticating Customers’ Identities During Login Attempts
Most firms have embraced multifactor authentication (MFA) as a key control that significantly reduces the likelihood that bad actors can take over a customer’s account. FINRA has found that some of these firms required all customers to use MFA; others required customers to use MFA if their account had been compromised, while others simply encouraged customers to adopt it.
Unlike single-factor authentication (e.g., a password), MFA uses two or more different types of factors or secrets—such as a password and code sent via a Short Message Service (SMS) text message or an authentication app—which significantly reduces the likelihood that the exposure of a single credential will result in account compromise. A number of firms are encouraging customers to adopt MFA by establishing streamlined MFA methods, such as customers entering their login credentials on trusted devices.
Back-End Monitoring and Controls
Firms should conduct ongoing surveillance of both individual customer accounts and across these accounts to prevent, detect and mitigate ATO threats. This includes, for example:
- monitoring at the customer account level for anomalies, such as: indications of ATO attempts at the login level (e.g., significant increases in number of failed logins in a brief time period for a specific account)
- monitoring across customers’ accounts for indications of credential stuffing or other large-scale attacks (e.g., significant increases in the number of login attempts and failed logins across a large number of accounts);
- monitoring emails received from customers for red flags of social engineering (e.g., problems with grammar or spelling; unexpected attachments, apps or links); and
- establishing back-end controls to prevent bad actors from moving money out of customer accounts, such as requiring a confirmation phone call with the customer using an established phone number when suspicious activity is detected in their account (e.g., withdrawing money from an online brokerage account into a newly-established bank account)
Procedures for Potential or Reported Customer ATOs
Firms can proactively address potential or reported customer ATOs by:
- establishing a dedicated fraud group to investigate customer ATOs;
- responding promptly and effectively to customers who report ATOs, frequently updating them on their account status and minimizing the amount of time their accounts are locked or their trading ability is suspended;
- reviewing all of a customer’s accounts at the firm for signs of problematic activity, if such activity is identified in one of their accounts;
- providing a method for customers to quickly communicate with someone at the firm, typically through voice or chat channels in a contact center; and
- reminding customers of recommended security practices (e.g., MFA adoption).
Automated Threat Detection
Firms can use a variety of automated processes to detect potential malicious actions by bad actors, for example, by:
- using web application firewalls (WAFs) and internally built tools to stop credential stuffing attacks;
- isolating suspicious IPs in a “penalty box”; and
- instituting geographic-based controls (e.g., “impossible travel” or disallowing connections from countries where no customers reside).
Restoring Customer Account Access
Secure practices to restore customers’ account access—whether because a customer has forgotten their password or because they are otherwise locked out—in a timely fashion are essential. At the same time, however, the process must be well thought out and incorporate appropriate safeguards so that it does not itself become an avenue for ATOs. To do this successfully, firms should:
- implement two-factor authentication for all password resets, for example, requiring input of a time-sensitive code sent to investors by SMS text message (several firms noted that sending a code via email can be risky because customers’ email accounts may have been compromised, so firms using this approach may want to ask for additional confirming information, as described in the bullet below); and
- require customers to contact call centers, and answer security questions based on less commonly available information (i.e., information less likely to be available through the dark web or a customer’s social media posts, and provided by the credit bureaus or firms providing digital identity intelligence) to restore their account access.
Firms can also educate and train their customers on account security by:
- including cybersecurity-related materials in the client onboarding process;
- providing up-to-date cybersecurity information;
- including on the firm’s website resources—such as alerts—that customers can opt in to receiving, such as email or SMS text messages for certain types of account activity; and
- adding educational content to statements of older investors.