How to Improve Finance Authentication Security

Abraham Smith

How-to-improve-financial-authentication-security

,

While financial services companies are a popular target for attackers, cyber threats have increased significantly in recent years. Despite massive security investments, the industry remains dangerously exposed, especially when it comes to identity and access management (IAM) vulnerabilities. Recent statistics and trends show how bad it has gotten:

Critical cybersecurity issues in financial services

Financial services, and in particular their authentication systems, are at increasing risk for a number of reasons.

Legacy authentication easily cracked

Legacy authentication is very vulnerable to phishing, credential stuffing, and password spraying attacks. Traditional 2FA and MFA are more of a nuisance than a hindrance for hackers. Most systems use some form of shared secret as an authentication factor, which means they can always be cheated, stolen, or intercepted. Once attackers have survived the authentication challenges, they can escalate them Account takeover (ATO) attacks in supplier or CEO fraud. They can also use data stolen via ATO to boost the success of phone bank fraud and authorized push payment (APP) attacks that cost banking institutions and their customers tens of billions each year.

Sophistication of Attacks

Several Phishing-as-a-Service (PhaaS) providers. rent out sophisticated systems and interfaces to carry out authentication attacks. These allow low-skill attackers to pay a small fee and get all the tools needed to conduct and track mass attacks on financial services customers. In addition, these attack kits contain multiple layers of attack, including blaring and uploading pre-collected personal data to increase the chances of success and target more vulnerable users. Some kits included MFA bombing Services to bypass MFA authenticator apps.

Multiple, disparate systems and processes

Many financial services companies use multiple IdPs, especially those that have grown through acquisitions. Each of them can have a different authentication process, with different levels of security, but also different experiences for the user. This results in users being more likely to fall for attack bait and also more likely to use unsafe workarounds e.g. B. keeping their passwords on sticky notes.

Strict regulation

While privacy laws like GDPR and California’s CCPA apply to all businesses, the regulatory burden on financial services companies is even greater with additional laws like New York’s NYDFS Part 500guidance set by the FFIEC and PSD2 requirements. The possibility of fines and the publication of violations pose a significant risk for financial services companies and oblige them to tighten their authentication processes.

consumer confidence

The current wave of fraudulent activities is actively affecting the relationships of companies with their customers. The aforementioned Financial Industry Authentication Security study found that 32% of financial services companies that experienced a breach lost customers to a competitor. It’s also a major obstacle in customers’ transition to mobile and e-banking 74% of customers who do not use these services and whose primary concern is security.

Improving the security of financial authentication

The reason for all these problems is the weakness of authentication security. Financial services regulations have highlighted the need for MFA as the minimum authentication system for employees and customers. Here we look at how financial services providers can improve their authentication security.

  1. Strong multi-factor authentication (MFA): As previously mentioned, MFA has evolved from best practice to the minimum expected authentication standard. Certain MFA processes, such as SMS one-time passwords (OTPs), have already been bypassed by certain messages and phone recordings aimed at tricking users into handing over these OTPs. push fatigue can also cause users to accept push notifications even if they don’t sign in.
  2. Passwordless authentication for finance: A critical solution to removing the inherent vulnerabilities of shared secrets and hardening authentication is to eliminate passwords entirely. Passwordless authentication for finance creates a phishing-resistant authentication process that protects customers and employees from most attack attempts.
  3. Fast Identity Online (FIDO): With the transition to passwordless authentication in finance, many organizations worry that there is a significant trade-off between security and user experience. Fast Online Identity (FIDO) is an open standard authentication system developed by an alliance of leading technology companies, financial organizations and regulators such as NIST. FIDO standards are designed with security, user experience, and compatibility in mind. This is done by using user or off-the-shelf devices to satisfy the biometric and possession factors of authentication.
  4. Strong authentication for desktops and applications: Most authentication and authorization systems focus on controlling access to corporate systems and services. Access to laptops, desktops or workstations used to access these corporate resources is often protected only with a password or PIN. Organizations that neglect MFA to desktop leave the door to their IT resources unlocked. Security teams can significantly strengthen overall defenses by enabling MFA for workstation, server, VPN, and VDI logins.
  5. Public Key Cryptography: Ultimately, passwords and shared secrets are vulnerable as they can be phished by users or stolen through data breaches Opponent-in-the-middle attacks. Secure passwordless authentication for finance uses strong public key cryptography to verify identity without sharing personal information or secrets. A user is given a public-private key pair, which registers the public key with their authentication provider. When prompted for authentication, the user unlocks their private key on their own device to sign and authenticate. Because the private key is stored locally and never shared, the chance of it being stolen is greatly reduced.

Secure passwordless authentication for finance with HYPR

The volume, sophistication, and severity of cybersecurity threats, particularly those related to authentication, pose significant challenges for the financial services industry. HYPR is aware of the financial industry’s efforts to secure customers and employees, comply with regulations and reduce organizational risk.

By providing a highly flexible FIDO-based solution, HYPR enables passwordless authentication for finance, which employees and customers prefer to use. Our solution enables fast, seamless desktop-to-cloud login, closes security gaps and creates a phishing-resistant authentication system. To learn more about the state of authentication in the financial industry and how HYPR can help, download the report or Schedule a custom demo.

New call to action

*** This is a Security Bloggers Network syndicated blog from the HYPR blog, written by the HYPR team. Read the original post at: https://blog.hypr.com/how-to-combat-password-fatigue-0

Leave a Reply

Your email address will not be published. Required fields are marked *