The US Financial Regulatory Authority has been receiving more and more reports of account takeovers in the past year. These incidents involve fraudsters using compromised information about customers – notably their login details – to gain control of their online brokerage accounts. In addition, attackers have been using synthetic identities to open new accounts fraudulently.
'Account takeovers' are attempts – not necessarily successful – to gain access to monies in the accounts of HNW and other individuals, generally by the use of improperly obtained personal identifying information. These are on the rise because more firms are offering their customers online accounts and more investors are conducting transactions in these accounts, helped by the proliferation of mobile devices and applications or “apps” and the closure of firms' offices because of the current pandemic.
Criminals have taken advantage of these conditions to take accounts over, commonly through methods such as phishing emails and social engineering attempts (in which the fraudsters call customers, pretending to be registered representatives from customers’ firms, to acquire their personal information).
Fraudsters are also using registered representatives’ names and other information to establish websites (FINMA calls them “impostor websites”) that appear to be the representatives’ personal sites and sometimes call potential customers to ask them to use these websites. A typical impostor website might use the registered representative’s name as the domain name (firstnamemiddlenamelastname.com), include a picture that may or may not be of the registered representative, publish a fake employment history, including prior employers’ CRD (Central Registration Depository) numbers and examination history and ask HNWs to fill out contact forms, divulging their names, email addresses, phone numbers etc. Some of the sites contain poor grammar, misspellings, odd or awkward phrases, or the wrong financial terminology. FINMA has asked customers or their wealth managers to run a “WHOis” search (www.whois.net) on each suspect/impostor site to identify the hosting provider and domain-name registrar associated with the website (which may be the same organisation in some instances). In some cases, this site also provides relevant contact information. FINRA also wants the customers to report attacks to it or to the Securities and Exchange Commission or even to the nearest Federal Bureau of Investigation (FBI) field office.
A proliferation of stolen “customer login credentials” that are on sale on the so-called “dark web” (or “invisible web,” the portion of the Internet that people can only reach through special types of software) might also explain the upsurge in takeovers, as might the emergence of software that automates account-takeover attacks at scale (e.g., using mobile emulators to mimic mobile devices that have been compromised to access thousands of online brokerage accounts).
Financial firms' regulatory obligations in this field are as follows.
- FINRA 'KYC' Rule 2090, which states that firms must use reasonable diligence, in regard to the opening and maintenance of every account, to know the “essential facts” concerning every customer, which are facts that are required to: (1) service the customer’s account effectively; (2) act in accordance with any special handling instructions for the account; (3) understand the authority of each person acting on behalf of the customer; and (4) comply with applicable rules.
- SEC Regulation S-P, Rule 30. Firms must have adequate written policies and procedures that protect customers' records and information and keep them confidential. They must protect them against any anticipated threats or hazards to their security or integrity and against unauthorised access.
- SEC Regulation S-ID. Firms must draft up and run regimes (FINRA calls them programmes) to ward off the threat of identity theft. In doing so, they should consider fraudsters' methods and the "red flags" that pertain to identity theft.
- Customer Identification Programmes or CIPs. Firms’ anti-money-laundering compliance plans of action, aka programmes, must contain written Customer Identification Programmes. These must include risk-based procedures that enable them to form a reasonable belief that they know the true identities of all people who opens new accounts. The CIPs must also say when they intend to verify identities, either with or without documents.
FINRA also encourages firms to review their policies and procedures that confirm that new accounts comply with FINRA Rule 4512, which pertains to information about customers' accounts, as well as the Bank Secrecy Act 1970 and its implementing regulations that FINRA mentions in Rule 3310. They should also review policies and procedures that govern both suspicious activity reports and the handling of ACH and other transmittal requests to “determine the authenticity of transmittal instructions” in line with FINRA Rule 3110 (Supervision).
Most firms that FINMA has spoken to recently employ multi-factor authentication (MFA) as a hedge against account takeovers. An example of a single-factor mode of authentication is a password. MFA uses two or more checks of different kinds, such as a password and some code sent on a Short Message Service (SMS) text or an authenticating app.
Some firms use "adaptive authentication" techniques to make accounts more secure. These typically assess both the risk associated with a customer’s login and the risk of the activity that the customer wishes to undertake. The former might involve dodgy log-in attempts; the latter might involve the customer doing something incompatible with the size of his account.
When these things happen, the financial institution might ask the customer to provide extra identifying information if he tries to log in to his account from a new device or different location, or if he wants to set up a highly risky transaction.
Supplemental authentication factors also exist. These are: SMS text message codes; verifications of phone calls; media access control (MAC) addresses; information about geolocation; third-party authenticator apps; and biometrics. These last include software that recognises fingerprints, voices, faces and such behaviour as mouse activity and keyboard strokes on computers, touch-screen behaviour and the movement of mobile devices on a map.
Many firms, beleaguered by the prevalence of fraudsters' takeovers of email accounts, have also abandoned the use of email addresses to authenticate things.
At the back end
How best to detect anomalies? FINRA's contacts at financial institutions are looking for the following.
- significant increases in the number of failed logins in a short time on a specific account;
- signs of an account takeover, such as: large purchases shortly after the opening of a new account; changes in the email account of record followed by a request for a third-party wire; frequent transfers of funds in and out of an account);
- indications of credential stuffing such as a spike in the number of login attempts and failed logins across a large number of accounts);
- emails from customers containing bad grammar or spelling and unexpected attachments, apps or links.
Firms might also try to stop fraudsters from moving money out of accounts by requiring customers to use established phone numbers to confirm their intentions to pay people if the firms have detected suspicious activity on their accounts (e.g. when someone wants to move money from his online brokerage account into a newly-established bank account). They might also like to scan the dark web for keywords or data that could be useful to fraudsters who want to take accounts over (e.g., the names of firms, the numbers of customer accounts, the names of firms' executives, planted accounts and passwords).
Another old chestnut is "impossible travel" – a security-oriented control that compares the locations of a user’s most recent two sign-in attempts to determine whether travel between those places was impossible in the relevant timeframe.