One way is by recommending to customers that they use a password manager. These applications protect online accounts by saving strong, unique passwords for each customer account and device. The password manager then automatically fills in the password whenever customers access their accounts online.
Customers often use the same log-in information across multiple accounts, making themselves particularly susceptible to widescale account takeovers, Finra said.
Beefing Up Security
Firms should also think about beefing up their new account opening requirements and verifying customers’ identities when establishing online accounts; that means validating identities on documents that applicants provide, including Social Security numbers, addresses and driver’s licenses.
Other good approaches, broker-dealer executives told Finra, include asking applicants follow-up questions or requesting additional documents to validate their identities, using information from credit reporting agencies or firms that provide digital identity intelligence.
Some broker-dealers also use multifactor authentication when customers log in. This means going beyond a single password and using two or more levels of account verification when customers sign in—requiring them to present a code sent via a text message, for example, or using an authentication app as a second step to the clients’ passwords. This can significantly reduce fraud, Finra said.
The broker-dealer executives who met with Finra said they also routinely conduct ongoing surveillance for anomalies, such as significant increases in failed log-ins, large purchases made shortly after a customer opens an account or changes in emails followed by a request from a third party.
The firms used a variety of automated processes to detect potential malicious actions by bad actors; these processes included web application firewalls and internally built tools to stop attacks. They also isolated suspicious internet protocol (IP) addresses in a “penalty box” and used geographic limits that disallowed connections from countries where no customers reside.
Firms that discover account takeover schemes or imposter websites mimicking their own sites should contact their Finra risk managers right away. “Finra is also looking for these schemes, and if we find them, we will contact you and work with you,” Colby said.