Turbulence In Banking: Navigating the Cyber Risk
Michael Rothschild, HYPR
4 Min. Read | March 15, 2023
With recent events involving Silicon Valley Bank and Signature Bank fresh in our minds, investors and financial institutions both big and small are looking to reduce exposure and risk.
This bid to reduce risk is to be expected, but it can also increase threats from a security perspective. Cybercriminals are quick to take advantage of disruption and distractionary events to launch attacks. Security researchers are already finding suspicious domains, phishing pages, and have confirmed multiple attack campaigns in the wild.
Areas of Increased Risk
Attack risk and exposure has increased in three major areas:
Phishing Frenzy: Hackers will take any opportunity to work current events to their advantage. We are already seeing phishing schemes that prey on individuals who are looking to move their assets. Whether an email, text message or man-in-the-middle attack, hackers launch attacks by pretending to be a representative of the bank. Their sole purpose is to harvest passwords in order to carry out their attack.
Social Engineering: For impacted financial institutions, it is not business as usual. For the immediate future, bank personnel will likely have to alter their normal daily routine to address a variety of non-standard issues. This is fertile ground for cybercriminals to strike via social engineering. Hackers pose as a trusted person such as a coworker, regulator, customer or even the help desk and attempt to extract credentials in order to get into the bank and carry out an attack.
Brute Force:While banking personnel are working outside their routine, the hacker will typically take advantage of the distraction to launch an attack via brute force or password spraying. Using a library of terms, the hacker will rapidly attempt the most common passwords and those taken in data breaches via a highly automated technique until access is granted. This is very effective under normal circumstances. Under less than ideal circumstances, where security staff may be distracted because they are repurposed in other areas, initial reconnaissance and attack attempts may be missed, increasing the success rate of an attack.
The Password Pitfall
What do all of these attack methods have in common? They all exploit passwords. For more than six decades, passwords have been the go to for authentication. Over time we added things to passwords to make them “more secure” such as hardware tokens, one-time passwords and push notifications. However, these just introduce another step without bringing much protection — as any of the companies breached through their MFA last year can attest.
The undeniable fact is that passwords have failed at scale. Any system that relies on a password, whether on the front end or through backend processes, puts an organization at risk.
With the recent announcements by Apple, Microsoft and Google endorsing “passkeys,” passwordless authentication is becoming consumerized. As an individual, you likely have already gone the passwordless authentication route in certain areas of your life. Think about how you log in to your smartphone. Do you use a password or a biometric such as a fingerprint or your face? More importantly, would you ever want to go back to inputting a password to get into your phone?
What Finance Organizations Can Do
The latest jitters in banking creates a perfect storm for hackers to take advantage of. As organizations endeavor to reduce risk while also retaining customers, there is also a perfect opportunity for banks to stabilize and strengthen their position.
Exercise Diligence: The idea of “if you see something, say something” is apt here. If something seems off about an email, link or phone call, it probably is. Redoubling efforts and exercising ongoing diligence at every level of the organization from the C-suite on down to every employee and customer is crucial and can be amongst the most impactful areas that are often overlooked.
Reduce Exposure: Eliminate passwords everywhere. Deploy passwordless MFA; for employees, partners and customers and reduce the risk associated with passwords. With passwordless MFA, you’ll be using a phishing-resistant authentication solution recommended by CISA and other standards setting organizations and you’ll be well on your way to aligning with security frameworks such as Zero Trust and MITRE ATT&CK.
Enhance Usability: Passwordless MFA at the organizational level (sometimes called enterprise passkeys) enhances the login experience. Rather than having to login with passwords for every operation during the day, resetting passwords and forgetting passwords, enterprise passkeys eliminates the password and creates a frictionless user experience. This not only increases authentication security, but it also increases employee productivity and customer satisfaction.
Understand the Value: Eliminating passwords from authentication can increase efficiencies and reduce associated costs, including helpdesk overhead for password resets and employee downtime. Reducing the attack surface also directly translates to fewer investigations (and even fewer responses) by the SOC.
Charting the Course
Now is the time to redouble efforts to and reduce risk from the equation. There will always be distractors in varying industries that hackers will endeavor to take advantage of. Employee/customer education combined with reducing security risk can close attack vectors that are being utilized by hackers. The consumerization of “jettisoning the password” with the introduction of passkeys makes it the perfect time to introduce passwordless authentication to your workforce and customers. As was the case with logging into your cell phone, once you make the change, you’ll never look back.