As financial fraud continues to climb, entering the third year of this brave new world of on-again, off-again remote work and heightened dependence on digital financial services, experts say that this year will force the industry to change its approach on many security fronts, especially authentication.
For years, financial firms, financial technology start-ups, and third-party vendors have bandied about their concerns regarding passwords, their desire for a convenient multifactor authentication (MFA), and their hopes that employees and customers alike would do their best to embrace cyber technologies and protect their data and their systems. But, the sudden shift to working and banking (and investing and buying and getting financial advice) from home, coupled with the stress of the overriding pandemic, put an initial and unanticipated strain on digital financial networks, corporate financial systems, and the people who use them.
Entering year three, the financial industry appears to be accepting this new reality of digital finance and the fraud that has followed, and seems more prepared to mitigate the risks and improve employee and customer identity management, according to financial cyber experts.
“Any authentication factor that relies on the user inputting personal information is more vulnerable to social engineering attacks,” said André Ferraz, founder and CEO of Incognia, a zero-factor authentication provider. Ferraz cited that in 2020 alone (the first year of the pandemic and subsequent fraud bump), Javelin Research reported that 80% of U.S. fraud losses were still a result of all-too-effective social engineering scams, which have also been boosted by the proliferation of dozens, if not hundreds, of new tools aimed at automating fraud.
"Authentication factors such as passwords, biometrics and SMS-based one-time passwords are highly vulnerable,” Ferraz maintained. For instance, according to Incognia's FinTech mobile report, 17 of the top 20 finance applications in the U.S. “rely on SMS as the secondary authentication factor and many still rely on passwords as the primary authentication factor,” he said. “Therefore, companies need to adopt technologies that enable them to proactively detect fraud instead of depending on the end user's action, given that most people are not cybersecurity experts.”
Similarly, PerimeterX Co-founder and Chief Technology Officer Ido Safruti, pointed out that legacy security solutions “designed to prevent account takeover (ATO) attacks generally focus on one primary activity: login. They ask for credentials, serve up CAPTCHAs and, where possible, leverage multifactor authentication (MFA) to verify that the right credentials are being used.
“Unfortunately,” Safruti said, “account fraud isn’t that simple.”
These conventional authentication methods have been handicapped because validated credentials and account access “can be acquired in ways that won’t be detected by credential stuffing protection," he added, pointing out increasingly popular methods including malware stealing access tokens or key-strokes, social engineering, phishing, PII harvesting, or even just purchasing a list of validated usernames and passwords on the dark web.
Bypassing multifactor authentication
In these cases, where fraudsters have the correct credentials, they can typically get past even MFA login security checks, bypassing that security with malware-stealing access tokens.
“This allows fraudsters to take over accounts and abuse them in a number of ways, such as stealing credit card information, changing account details including ship-to information and depleting loyalty points or credits accrued in the account,” Safruti said. “Once an account has successfully been accessed, downstream checks often don't exist. We call this the 'post-login wasteland.'”
Jerome Becquart, COO of Axiad, which advises financial organizations on identity and access management, also predicted the financial industry will have to move beyond seeing MFA authentication as a panacea for increased fraud and breaches.
“With the increased adoption of MFA across the financial industry, we will see an increased volume of attacks on the next weakest link, account recovery,” Becquart believed, “which typically tends to fall back to weak authentication methods such as password or knowledge-based authentication (KBA) such as 'what is your mother’s maiden name?'”
With that in mind, more financial organizations are looking at implementing passwordless authentication for their different user populations and for all use cases, according to Becquart. “At the same time, they don’t want to deal with the added complexity and cost of maintaining many different authentication solutions for their internal user needs, partners, and customers.”
In the end, Becquart predicted this pushing financial players to "consolidate their MFA and PKI needs” and adopt authentication platforms that can address their various needs.
“Don’t settle for replacing only 80% of your passwords,” Becquart concluded, “real security will only come once you retire all passwords. Leverage new standards like FIDO2 as much as possible, and use legacy MFA for everything else, select solutions that can seamlessly support both.”