How to Improve Finance Authentication Security
6 Min. Read | October 26, 2022
While financial services organizations are a perennial favorite target for attackers, the cyberthreat levels have increased significantly over the past few years. Despite massive security investments, the industry remains dangerously exposed, particularly when it comes to identity and access management (IAM) vulnerabilities. Recent statistics and trends show just how bad it’s become:
- Between February and April 2020 alone, there was a 238% surge in cyberattacks against banks, according to a report by VMware Carbon Black.
- Per our in-depth 2022 State of Authentication in the Finance Industry report, 80% of our respondents reported breaches due to authentication weaknesses.
- Nearly 40% of all phishing URLs target financial services. One institution, Credit Agricole, surpasses even Facebook as the perennially most-phished URL.
- 47% of attempted fraud was across card-not-present payment channels, i.e., attackers leveraging weak authentication controls on online payments.
Critical Cybersecurity Issues Facing Financial Services
Financial services and, in particular, their authentication systems, face growing risk for several reasons.
Ease of Cracking Legacy Authentication
Legacy authentication is highly vulnerable to phishing, credential stuffing and password spraying attacks. Traditional 2FA and MFA are more a nuisance than an obstacle for hackers. Most systems use some form of shared secret as an authentication factor, meaning they can always be scammed, stolen or intercepted. Once attackers get through the authentication challenges, they can escalate these account takeover (ATO) attacks into supplier or CEO fraud. They can also use data stolen through ATO to increase the success of phone banking fraud and authorized push payment (APP) attacks, which cost banking institutions and their customers tens of billions every year.
Sophistication of Attacks
Multiple phishing-as-a-service (PhaaS) providers rent out sophisticated systems and interfaces for performing authentication attacks. These allow low-skill attackers to pay a small fee and gain all the tools necessary to run and track mass attacks on financial services customers. In addition, these attack kits incorporate several layers of an attack, including smishing and uploading pre-collected personal data, to increase the chances of success and specifically target more vulnerable users. Some kits include MFA bombing services to get around MFA authenticator apps.
Multiple, Disparate Systems and Processes
Many financial services organizations use multiple IdPs, particularly those that have grown through acquisitions. Each of these may have a different authentication process, with both varying levels of security but also different experiences for the user. This makes users both more likely to fall for attack lures and also more likely to use insecure workarounds, such as keeping their passwords on sticky notes.
While data protection laws such as the GDPR and California’s CCPA apply to all companies, the regulatory burden is even heavier on financial services firms with additional legislation such as New York’s NYDFS Part 500, guidance set by the FFIEC and PSD2 requirements. The possibility of fines and publication of breaches represent a considerable risk for financial services firms and obligates them to harden their authentication procedures.
The current wave of fraudulent activity actively impacts firms’ relationships with their customers. The study of authentication security in the finance industry mentioned earlier found that 32% of financial services organizations that experienced a breach lost customers to a competitor. It’s also a major obstacle in moving customers to mobile and e-banking, with 74% of customers who don’t use those services stating security as their major concern.
Improving Finance Authentication Security
The underlying thread through all these issues is the weakness of authentication security. Financial services-specific regulations have been clear about the need for MFA as a minimum authentication system for employees and customers. Here we'll look at how financial services firms can improve their authentication security.
- Strong Multi-Factor Authentication (MFA): As mentioned, MFA has moved from best practice to the minimum expected authentication standard. However, certain MFA processes, such as SMS one-time passwords (OTPs), have already been circumvented through specific messages and phone recordings designed to get users to hand over these OTPs. Push fatigue can also cause users to accept push notifications even when they aren't conducting a login.
- Passwordless Authentication for Finance: A critical solution for removing the inherent vulnerabilities of shared secrets and hardening authentication is to eliminate passwords completely. Passwordless authentication for finance creates a phishing-resistant authentication process that protects customers and employees from the vast majority of attack attempts.
- Fast Identity Online (FIDO): The fear among many organizations in transitioning to passwordless authentication for finance is that there is a significant trade-off between security and user experience. Fast Identity Online (FIDO) is an open-standard authentication system created by an alliance of leading technology firms, financial organizations and regulatory bodies such as NIST. FIDO standards were developed with security, user experience and compatibility all top of mind. This is done by leveraging user or off-the-shelf devices to fulfill the biometric and possession factors of authentication.
- Strong Authentication for Desktops as Well As Applications: Most authentication and authorization systems focus on controlling access to enterprise systems and services. Access to the laptop, desktop or workstation being used to access those company assets is often protected with only a password or PIN. Organizations that neglect MFA into the desktop are leaving the front door to their IT resources unlocked. Security teams can significantly harden defenses overall by enabling MFA for workstation, server, VPN and VDI logins.
- Public Key Cryptography: At the end of the day, passwords and shared secrets are vulnerable as they can be phished from users or stolen through data breaches or adversary-in-the-middle attacks. Secure passwordless authentication for finance uses strong public key cryptography to verify identity without the need to share personal information or secrets. A user is issued a public-private key pair, registering the public key with their authentication provider. When challenged for authentication, the user unlocks their private key on their own device to sign and authenticate. As the private key is stored locally and never shared, it significantly reduces the chance of it being stolen.
Secure Passwordless Authentication for Finance With HYPR
The quantity, sophistication, and severity of cybersecurity threats, especially around authentication, pose major challenges for the financial services industry. HYPR is acutely aware of the struggles of the finance industry to secure customers and employees, meet regulations and reduce organizational risk.
By delivering a supremely flexible FIDO-based solution, HYPR enables passwordless authentication for finance that employees and customers prefer using. Our solution allows fast, seamless desktop-to-cloud login, eliminates security gaps, and creates a phishing-resistant authentication system. To learn more about the state of authentication in the finance industry and how HYPR can help, download the report or schedule a custom demo.