‘Stealing from
the Rich and Giving to Themselves’: 5 Tips to Protect Your Brokerage Login Credentials from Hackers
By Trevor Daughney, VP, Product Marketing, Exabeam
As millenials and younger generations
of investors race to be a part of the stock market and broader community, digital
adversaries are capitalizing on the interest and overall carelessness of the users, according
to alerts from the SEC during fall 2020. In fact, CNBC
recently reported that cybercriminals are selling login details from E*Trade, Charles
Schwab, TD Ameritrade, Robinhood and more for just a few dollars each.
The users the logins belong to
were said to have portfolios ranging up to $500,000. Interestingly, user credentials from online trading startup Robinhood are seeing the highest value on the illicit marketplace — likely because they are easiest to break into and/or cash out. Identity security
experts have also speculated that this higher price point could be attributed to Robinhood’s user base more frequently posting about their investment successes on social media — making them prime targets for username and password harvesting.
It’s no secret that cybercriminals
seek out the path of least resistance. They want easy money with little effort or risk on their part. Shouting about investment wins and monetary windfalls online is the perfect bait to lure them in — without you even realizing it. This is scary for a number
of reasons.
First, not only can the cyber
thief manipulate your shares — brokerage applications and websites also house troves of your personal and financial data, which is compromised the second the login is stolen and purchased. Next, if you use the same login information across multiple websites,
you could put those other accounts equally at risk. And finally, if you use those login details for accounts tied to your employer, you can make your entire company vulnerable to breach.
So what can you do to prevent
personal credential theft on brokerage sites and beyond?
Diversify Your
Login Details
You should never reuse a password
— plain and simple. As mentioned above, if one of your accounts is breached and you use those credentials on other sites and apps, cybercriminals can carry out ‘credential stuffing’ attacks. In these instances, they utilize the stolen brokerage login, for
instance, to attempt to break into your accounts – social media, banking, delivery apps, Amazon and more — anything that could house useful or sellable data. You can prevent this by ensuring you use unique, complex logins across each and every account.
It is especially critical you
never
mix personal and corporate login details. If you utilize the same password on your employer-owned accounts, hackers could use you as a foothold into the broader company network.
Utilize a Password
Manager
Does remembering all these passwords
sound intimidating? You’re not alone. That’s why password
managers were invented. These tools help you generate and store customized credentials
for each of your accounts — both business and personal — leaving you no excuse to recycle and reuse.
Implement Multi-factor
Authentication Wherever Possible
Multi-factor authentication,
which requires one or more extra steps to verify your identity before logging into an account, is an easy-to-implement hacker repellent. Even if they have your username and password, entering this information will lead them to a secondary screen requesting
the next factor — which can include anything from a fingerprint to an SMS text message or email code. Since those are things only you have access to, they will be stopped in their tracks.
Keep Successes
to Yourself
While it’s tempting to show the
social media world what a savvy investor you’re becoming, you should never divulge financial information, including your online trading accomplishments, in the public domain. Try your best to keep these wins to yourself — or at most, to your extremely close
friends and family. The more you yell, the more the cybercriminals will hear you and be drawn to your accounts.
While it’d be nice to think that
all personal investors will follow these simple steps, there will always be a few that slip through the cracks. Verizon’s 2020 Data Breach Investigations Report
cited that a whopping 80% of breaches [that include hacking] are due to brute force or use of lost or stolen credentials. Worryingly, bad actors will often use credentials from personal account breaches to try to break into the user’s corporate accounts. If
they are able to break into just one privileged account, it unlocks a treasure chest of sensitive data and allows lateral movements around the enterprise network. So what can organizations do to ensure employees’ personal accounts being compromised don’t take
their networks down too?
Companies Must
Track Digital User Behavior and Educate Employees
At a high level, security organizations
must shift the overall enterprise security strategy and give top priority to remediating credential-based incidents. By closely monitoring digital user behavior, security teams can gain the necessary visibility required to restore the broken trust and react
in real time, to protect all user accounts. This includes the ability to detect, using
behavioral characteristics, when malicious events have occurred.
Security organizations should
also invest time in educating employees on good password hygiene and industry best practices on a consistent basis, such as those above. Finally, companies should proactively evaluate and update network security capabilities, to bolster protections for company
data, especially now with a broadly distributed workforce. A security stack that includes behavioral analytics, data loss prevention and identity access management (IAM) is a strong start to better protecting all company information across any network.
While these tips will help up-and-coming investors protect their brokerage accounts, this advice can apply to any account housing confidential data. If consumers and companies utilize these steps on an ongoing basis, they can prevent cybercriminals from stealing from them — and giving to themselves.
Bio
Trevor Daughney is Vice President of Product Marketing at Exabeam. Trevor is a marketing executive with a track record of building high performing teams to take enterprise cybersecurity SaaS and software technology and turn them into successful global businesses. Prior to Exabeam, he led enterprise product marketing at McAfee, Ping Identity and Symantec. Trevor approaches marketing with a global mindset, and builds on his experiences living and working in the US, Canada and Asia. He has an MBA from the University of California, Berkeley.
