‘Stealing from the Rich and Giving to Themselves’: 5 Tips to Protect Your Brokerage Login Credentials from Hackers
By Trevor Daughney, VP, Product Marketing, Exabeam
As millenials and younger generations of investors race to be a part of the stock market and broader community, digital adversaries are capitalizing on the interest and overall carelessness of the users, according to alerts from the SEC during fall 2020. In fact, CNBC recently reported that cybercriminals are selling login details from E*Trade, Charles Schwab, TD Ameritrade, Robinhood and more for just a few dollars each.
The users the logins belong to were said to have portfolios ranging up to $500,000. Interestingly, user credentials from online trading startup Robinhood are seeing the highest value on the illicit marketplace — likely because they are easiest to break into and/or cash out. Identity security experts have also speculated that this higher price point could be attributed to Robinhood’s user base more frequently posting about their investment successes on social media — making them prime targets for username and password harvesting.
It’s no secret that cybercriminals seek out the path of least resistance. They want easy money with little effort or risk on their part. Shouting about investment wins and monetary windfalls online is the perfect bait to lure them in — without you even realizing it. This is scary for a number of reasons.
First, not only can the cyber thief manipulate your shares — brokerage applications and websites also house troves of your personal and financial data, which is compromised the second the login is stolen and purchased. Next, if you use the same login information across multiple websites, you could put those other accounts equally at risk. And finally, if you use those login details for accounts tied to your employer, you can make your entire company vulnerable to breach.
So what can you do to prevent personal credential theft on brokerage sites and beyond?
Diversify Your Login Details
You should never reuse a password — plain and simple. As mentioned above, if one of your accounts is breached and you use those credentials on other sites and apps, cybercriminals can carry out ‘credential stuffing’ attacks. In these instances, they utilize the stolen brokerage login, for instance, to attempt to break into your accounts – social media, banking, delivery apps, Amazon and more — anything that could house useful or sellable data. You can prevent this by ensuring you use unique, complex logins across each and every account.
It is especially critical you never mix personal and corporate login details. If you utilize the same password on your employer-owned accounts, hackers could use you as a foothold into the broader company network.
Utilize a Password Manager
Does remembering all these passwords sound intimidating? You’re not alone. That’s why password managers were invented. These tools help you generate and store customized credentials for each of your accounts — both business and personal — leaving you no excuse to recycle and reuse.
Implement Multi-factor Authentication Wherever Possible
Multi-factor authentication, which requires one or more extra steps to verify your identity before logging into an account, is an easy-to-implement hacker repellent. Even if they have your username and password, entering this information will lead them to a secondary screen requesting the next factor — which can include anything from a fingerprint to an SMS text message or email code. Since those are things only you have access to, they will be stopped in their tracks.
Keep Successes to Yourself
While it’s tempting to show the social media world what a savvy investor you’re becoming, you should never divulge financial information, including your online trading accomplishments, in the public domain. Try your best to keep these wins to yourself — or at most, to your extremely close friends and family. The more you yell, the more the cybercriminals will hear you and be drawn to your accounts.
While it’d be nice to think that all personal investors will follow these simple steps, there will always be a few that slip through the cracks. Verizon’s 2020 Data Breach Investigations Report cited that a whopping 80% of breaches [that include hacking] are due to brute force or use of lost or stolen credentials. Worryingly, bad actors will often use credentials from personal account breaches to try to break into the user’s corporate accounts. If they are able to break into just one privileged account, it unlocks a treasure chest of sensitive data and allows lateral movements around the enterprise network. So what can organizations do to ensure employees’ personal accounts being compromised don’t take their networks down too?
Companies Must Track Digital User Behavior and Educate Employees
At a high level, security organizations must shift the overall enterprise security strategy and give top priority to remediating credential-based incidents. By closely monitoring digital user behavior, security teams can gain the necessary visibility required to restore the broken trust and react in real time, to protect all user accounts. This includes the ability to detect, using behavioral characteristics, when malicious events have occurred.
Security organizations should also invest time in educating employees on good password hygiene and industry best practices on a consistent basis, such as those above. Finally, companies should proactively evaluate and update network security capabilities, to bolster protections for company data, especially now with a broadly distributed workforce. A security stack that includes behavioral analytics, data loss prevention and identity access management (IAM) is a strong start to better protecting all company information across any network.
While these tips will help up-and-coming investors protect their brokerage accounts, this advice can apply to any account housing confidential data. If consumers and companies utilize these steps on an ongoing basis, they can prevent cybercriminals from stealing from them — and giving to themselves.
Trevor Daughney is Vice President of Product Marketing at Exabeam. Trevor is a marketing executive with a track record of building high performing teams to take enterprise cybersecurity SaaS and software technology and turn them into successful global businesses. Prior to Exabeam, he led enterprise product marketing at McAfee, Ping Identity and Symantec. Trevor approaches marketing with a global mindset, and builds on his experiences living and working in the US, Canada and Asia. He has an MBA from the University of California, Berkeley.