FINRA Addresses Customer Account Takeovers (ATOs); Firms Advised on Protection Tactics 

The Financial Industry Regulatory Authority (FINRA) has issued a regulatory notice in response to a noticed increase in customer account takeovers (ATOs). During these ATOs, bad actors compromise account information, gain unlawful entry into customer online brokerage accounts, make fraudulent transactions, siphon out funds, and commit other crimes. Similarly, bad actors have increasingly been using simulated identities to open online accounts, and unlawfully access funds and data. FINRA’s regulatory notice summarizes the observations of 20 firms of various business models and sizes on the subject. 

Why the rise in ATOs? 

The FINRA notice attributes the recent rise in ATOs to several factors that all increase the risk of online fraud: 

• More firms offering online accounts 
• More investors conducting transactions in online accounts 
• Proliferation of mobile devices and apps, enabling additional access (and attack vectors) for online accounts 
• Reduced accessibility of physical offices due to the COVID-19 pandemic, making it harder to verify identity 
• More stolen login credentials being available illegally on the dark web 
• Increased sophistication and availability of ATO tools such as mobile emulators that mimic mobile devices in an automated fashion 

Challenges  

The interviewed firms described the challenging nature of protecting customers from ATOs. Challenges included: 

• Successfully verifying the identities of creators of online accounts 
• Fending off the volume of attempted ATOs 
• Preventing transfers of funds between compromised accounts 
• Identifying when modifications of critical information (e.g., bank information, email address) are fraudulent 
• Identifying when login reset requests are fraudulent 
• Balancing stringent security measures with customer ease-of-use 

Strategies 

​​​​​​The FINRA notice lists multiple strategies interviewed firms use to detect, prevent, and address ATOs, including: 

• Heighten authentication of new customers 
  • Carefully inspect identification documentation (e.g., “likeness checks” comparing documents with photos, videos, and voice recordings).  
  • Ask follow-up questions or request documents (e.g., use credit bureau information to ask for additional qualifying information regarding car or home purchases) 
  • Use third-party service providers to authenticate using the above and additional tools (e.g., database of suspicious information in applications) 
• Strengthen login verifications (especially with MFA)  
  • Use multi-factor authentication for all customers, or at the least for customers whose accounts have been previously compromised. MFA is considered a key factor in reducing ATOs. 
  • Use adaptive authentication, in which additional credentials are required when login attempts are deemed suspicious (e.g., multiple login attempts, new device or location, “impossible travel” where logins are attempted from distant sites in time frames that cannot meet required travel times). 
  • Demand additional credentials for situations of heightened risk (e.g., abnormal withdrawals or purchases, overly frequent account activity). 
  • Use additional identifying information, e.g., phone call verifications, geolocation information, third-party authentication apps, and biometrics. 
• Use back-end tools 
  • Use automated monitoring for account anomalies (e.g., detecting overly frequent login attempts, large transfers, etc.), based on preset metrics and detection tool results. 
  • Employ phishing monitoring tools that detect red flags of social engineering (e.g., bad spelling and grammar, urgency, unexpected links). 
  • Scan the dark web for signs of data used by bad actors (e.g., iterations of the firm’s name, account numbers, executive names, etc.). 
  • Use firewalls and other tools to prevent automated fraudulent login attempts. 
• Enhance customer service  
  • Educate customers re. ATOs, safeguards used by the firm, and safeguards customers should employ (e.g., MFA). 
  • Dedicate phone and chat lines to ATO complaints, suspicions, and resolution actions. 

The FINRA notice stresses that the strategies and recommendations offered do not constitute mandated regulations (though it reminds readers of existing regulations on protecting customer data). It further advises immediately reporting ATOs and other potential fraud to FINRA, to the SEC, to the FBI, to the Internet Crime Complaint Center, and to local state securities regulators.  

ACA guidance

The information in the FINRA regulatory notice provides sound advice for ATO detection and protection. Firms are advised to implement the offered suggestions in as efficient and focused manner as possible. The ATO threat is growing, and action is needed. 

The FINRA notice does not, however, provide particularly novel information. And indeed, the notice calls out that the suggested tactics are just that – suggestions, not new regulations. However, the fact that FINRA is publishing in-depth content on the subject indicates that it is of crucial concern to them. ATO detection and prevention is very likely to be a source of regulatory attention during future audits, at least as it applies to existing regulations on protecting sensitive customer data, as well as on existing regulations for monitoring and responding to suspicious activity. 

How we help

ACA Aponix offers the following solutions that can help your firm protect itself in relation to this and similar cybersecurity warnings, and to enhance its cybersecurity in general: 

• Threat intelligence, phishing testing and monitoring
• Operational resilience and governance
• Risk assessments and regulatory compliance testing services
• Download our Aponix Protect™ cybersecurity solution brochure.