Print this article

What to do about account takeovers - some tips from FINRA

Chris Hamblin

16 May 2021

'Account takeovers' are attempts – not necessarily successful – to gain access to monies in the accounts of HNW and other individuals, generally by the use of improperly obtained personal identifying information. These are on the rise because more firms are offering their customers online accounts and more investors are conducting transactions in these accounts, helped by the proliferation of mobile devices and applications or “apps” and the closure of firms' offices because of the current pandemic.

Criminals have taken advantage of these conditions to take accounts over, commonly through methods such as phishing emails and social engineering attempts (in which the fraudsters call customers, pretending to be registered representatives from customers’ firms, to acquire their personal information).

Fraudsters are also using registered representatives’ names and other information to establish websites (FINMA calls them “impostor websites”) that appear to be the representatives’ personal sites and sometimes call potential customers to ask them to use these websites. A typical impostor website might use the registered representative’s name as the domain name (firstnamemiddlenamelastname.com), include a picture that may or may not be of the registered representative, publish a fake employment history, including prior employers’ CRD (Central Registration Depository) numbers and examination history and ask HNWs to fill out contact forms, divulging their names, email addresses, phone numbers etc. Some of the sites contain poor grammar, misspellings, odd or awkward phrases, or the wrong financial terminology. FINMA has asked customers or their wealth managers to run a “WHOis” search (www.whois.net) on each suspect/impostor site to identify the hosting provider and domain-name registrar associated with the website (which may be the same organisation in some instances). In some cases, this site also provides relevant contact information. FINRA also wants the customers to report attacks to it or to the Securities and Exchange Commission or even to the nearest Federal Bureau of Investigation (FBI) field office.

A proliferation of stolen “customer login credentials” that are on sale on the so-called “dark web” (or “invisible web,” the portion of the Internet that people can only reach through special types of software) might also explain the upsurge in takeovers, as might the emergence of software that automates account-takeover attacks at scale (e.g., using mobile emulators to mimic mobile devices that have been compromised to access thousands of online brokerage accounts).

Relevant rules

Financial firms' regulatory obligations in this field are as follows.

FINRA also encourages firms to review their policies and procedures that confirm that new accounts comply with FINRA Rule 4512, which pertains to information about customers' accounts, as well as the Bank Secrecy Act 1970 and its implementing regulations that FINRA mentions in Rule 3310. They should also review policies and procedures that govern both suspicious activity reports and the handling of ACH and other transmittal requests to “determine the authenticity of transmittal instructions” in line with FINRA Rule 3110 (Supervision).

Multi-factor authentication

Most firms that FINMA has spoken to recently employ multi-factor authentication (MFA) as a hedge against account takeovers. An example of a single-factor mode of authentication is a password. MFA uses two or more checks of different kinds, such as a password and some code sent on a Short Message Service (SMS) text or an authenticating app.

Some firms use "adaptive authentication" techniques to make accounts more secure. These typically assess both the risk associated with a customer’s login and the risk of the activity that the customer wishes to undertake. The former might involve dodgy log-in attempts; the latter might involve the customer doing something incompatible with the size of his account.

When these things happen, the financial institution might ask the customer to provide extra identifying information if he tries to log in to his account from a new device or different location, or if he wants to set up a highly risky transaction.

Supplemental authentication factors also exist. These are: SMS text message codes; verifications of phone calls; media access control (MAC) addresses; information about geolocation;    third-party authenticator apps; and biometrics. These last include software that recognises fingerprints, voices, faces and such behaviour as mouse activity and keyboard strokes on computers, touch-screen behaviour and the movement of mobile devices on a map.

Many firms, beleaguered by the prevalence of fraudsters' takeovers of email accounts, have also abandoned the use of email addresses to authenticate things.

At the back end

How best to detect anomalies? FINRA's contacts at financial institutions are looking for the following.

Firms might also try to stop fraudsters from moving money out of accounts by requiring customers to use established phone numbers to confirm their intentions to pay people if the firms have detected suspicious activity on their accounts (e.g. when someone wants to move money from his online brokerage account into a newly-established bank account). They might also like to scan the dark web for keywords or data that could be useful to fraudsters who want to take accounts over (e.g., the names of firms, the numbers of customer accounts, the names of firms' executives, planted accounts and passwords).

Another old chestnut is "impossible travel" – a security-oriented control that compares the locations of a user’s most recent two sign-in attempts to determine whether travel between those places was impossible in the relevant timeframe.