As the most targeted industry for attacks, and one of the most closely watched by regulators, financial organizations are generally fierce proponents of cybersecurity innovation. Yet we continue to hear about attacks that circumvent the protocols guarding authentication and access to financial institution services and systems. Just last month, Flagstar Bank announced that hackers gained unauthorized access to their networks and more than 1.5 million customer records.
To gain new insights into the security posture of the finance sector when it comes to authentication, HYPR commissioned the State of Authentication in the Finance Industry report. Conducted by independent research firm Vanson Bourne, the report is based on interviews with 500 IT and security decision makers across the financial services sector. The results expose that the authentication methods used by banks and other financial services organizations are causing cracks in security, strain on budgets and overall operational disruption.
Financial Organizations Face Continuous, Evolving Cyber Threats
Nearly all (94%) of the surveyed financial service organizations faced some type of attack over the past 12 months. Phishing was the most prevalent, with credential stuffing attacks and malware the next most common attack type. These were closely followed by the threat from push notification attacks. Sometimes called MFA-prompt bombing, push attacks specifically target the push notifications used by many authenticators. It is a favorite technique of modern hacking groups, including Lapsus$, which recently breached Okta, Microsoft, Samsung and others.
Ransomware continues to be a frequent attack payload: 34% of financial services organizations surveyed were hit by ransomware attacks in the past 12 months.
Authentication Practices Creating Risk
While not all attacks were successful, 85% of organizations experienced cyber breaches as a result of these attacks, and nearly three-quarters were breached multiple times. For many, the consequences were severe, ranging from losing customers to a competitor, to loss of employee and customer data, to regulatory fines.
Other industry reports, including the latest Verizon DBIR, name credential-related issues as the top attack vector in the financial sector. So it’s not surprising that 80% of the surveyed organizations experienced at least one breach related to an authentication weakness. Bank authentication methods were among the most vulnerable, with 90% of smaller banks (<500 employees) experiencing a breach caused by authentication weaknesses. These authentication security failures are costing financial organizations an average of $2.2 million per year.
Most concerning, 63% of the organizations that were breached did nothing to change their security protocols for authentication and access to financial institution services and systems.
False Sense of Security
The lack of action may be explained by a seeming lack of awareness that current authentication practices expose financial organizations to risk. The report identifies multiple discrepancies between perceived levels of authentication security and how secure the authentication and access to financial institution services and systems actually is. The vast majority of participants (90%) stated that their current authentication approach is completely or mostly secure, despite the large numbers experiencing authentication-related breaches.
The confidence in security levels also is contradicted by the substantial proportion of respondents who admit that their employees are using legacy and other insecure authentication methods such as password managers, SMS and OTPs. Incredibly, close to one-quarter are using usernames and passwords only in some instances.
Traditional MFA vs. Phishing-Resistant MFA
This paradox can be traced to the ongoing confusion regarding traditional MFA. While once considered best practice, many modern attacks can circumvent traditional MFA, making it much less effective as a defense measure. A case in point is the $34 million stolen this year from the cryptocurrency exchange Crypto.com after hackers bypassed their MFA controls.
Such attacks have prompted calls by various regulatory bodies, including the United States Cybersecurity and Infrastructure Security Agency (CISA), for the use of MFA that can resist phishing and other attack methods. Yet, awareness of this is either sparse or ignored among IT security decision makers in financial service organizations. The vast majority surveyed (84%) feel that traditional MFA provides complete security.
Even more startling, despite financial organizations enumerating the insecure methods they use for authentication and access to services and systems, nearly half (47%) believe that phishing-resistant multi-factor authentication is key to their authentication strategy and another 51% believe it plays a part.
This confusion serves to highlight the need for better education and training around which authentication methods are and aren’t phishable. Otherwise, the authentication methods used by banks and other financial services organizations will continue to lead to breaches.
Passwordless MFA Is the Way Forward
A bright spot is that financial organizations realize how to correct their authentication shortcomings. Among the IT and security practitioners surveyed, 89% understand that passwordless MFA is needed to achieve the highest level of authentication security and the same number say it improves user experience. Furthermore, 90% agree it offers cost benefits over traditional authentication methods. Factors such as password fatigue, impacts to productivity, help desk costs and meeting cyber insurance requirements were named as major adoption drivers.
Download the State of Authentication in Finance Report
As the financial industry continues to transform its operations and business models, organizations face unprecedented and dynamic security risks. Rapid digitization, interconnection with third-party systems, migration to the cloud, and shifts in working patterns, all open new attack vectors.
The biggest area of vulnerability remains the protocols protecting authentication and access to financial institution services and systems. Fortunately, technologies already exist to fix this. HYPR True Passwordless™ MFA meets the gold standard for phishing-resistance as defined by the OMB and CISA and allows financial services organizations to achieve the security assurance and frictionless experience they require.
To learn more about the current state of authentication in the finance sector, download the report.