Industry Letter

January 12, 2024

To: Chief Information Security Officers at Regulated Institutions

From: New York State Department of Financial Services (“DFS”)

Re: Cybersecurity Alert – Self-Service Password Reset

Effective controls are essential to authenticate users who access your information systems. As configured by some organizations, applications or features that allow users to reset passwords themselves, do not securely authenticate users. If your organization uses, or is considering using, these features (commonly referred to as self-service password reset or SSPR), please review the information below.

Since, by its nature, a password is not necessary for someone to use SSPR, care must be taken to use secure authentication factors. For example, using an email address – either work or personal – to constitute a factor is unreasonably risky and especially unwise because email addresses are frequently found on social media and work-related websites and communications, and they are easy to guess. Similarly, using SMS and voice messages that are sent to a mobile phone number as one of the factors for authentication leaves companies vulnerable to SIM-swapping (where an attacker steals a victim’s phone number by switching the phone number from the victim’s device to a device controlled by the attacker) because the attacker will be able to receive any messages or codes sent to the victim’s phone number thereby eliminating the utility of that authentication factor.

If your organization does allow users to reset their own passwords, it is imperative to understand the risk and to implement appropriate and layered controls such as using mobile device management, logging and monitoring both successful and unsuccessful SSPR attempts, implementing a no-porting rule for phone numbers with carriers, having a process to detect and respond to suspicious SSPR activity, and limiting the user population permitted to use SSPR.

If others in your organization should receive this cybersecurity information, please forward this email as soon as possible and encourage them to opt-in to receive future “Cybersecurity Updates” from DFS. Information on best practices for multifactor authentication is available on the U.S. Cybersecurity & Infrastructure Security Agency website.

Regulated entities are reminded to report Cybersecurity Incidents and extortion payments pursuant to 23 NYCRR §500.17 via the DFS Portal, which you can access on DFS’s Cybersecurity Resource Center.