Not having phishing resistant MFA will come at a cost for the finance industry
With the volume of money handled by the finance industry on any given day, it's no wonder that it is a prime target for cybercriminals. Whilst security in finance is generally better than in other sectors, cybercriminals continue to evolve their methods with the intent to access sensitive data. Moreover, as cybercriminals get more sophisticated, banks and financial institutions are challenged to keep their critical IT systems secure from unauthorised access.
Since the start of the pandemic, financial services institutions have been disproportionately targeted by cyberattacks, representing 25.3% of all attacks, according to a Bank for International Settlements Bulletin.
It is estimated that the average cost of a data breach in financial services is USD$5.72 million, but this doesn't take into account the loss of trust, reputation and long term costs of recovery in setting up new processes to avoid this taking place again.
Since the onset of the pandemic, more end users have been using online and mobile channels for their banking needs, and more employees and executives are working from home. This has caused the number of potential victims of cyberattacks to skyrocket.
According to COVID-19 Crime Index 2021, 42 per cent of banks surveyed say the shift to home office work at their institution has led to a decline in IT security.
Maintaining secure access to systems requires strong authentication for all users. Legacy authentication methods, such as username and password combination or mobile two-factor authentication (2FA), are often used to connect the home office end device to the IT systems.
While financial institutions were early adopters of 2FA, these legacy solutions are now highly vulnerable to account takeovers, phishing, malware, SIM swapping, and man-in-the-middle attacks.
An opportunity to be proactive in managing a costly threat
Financial entities are fully compliant with IT security, data protection requirements and international mandates and directives for payment services and customer data, such as the Payment Card Industry Data Security Standard (PCI DSS) and General Data Protection Requirements (GDPR), but there is still a need for improvement.
The Australian Prudential Regulation Authority (APRA) governs publicly listed banks and financial institutions and provides guidelines outlining information security requirements in Australia.
The CPS 234 Information Security (CPS 234) is one APRA standard aiming to ensure that an APRA-regulated company takes measures to manage information security incidents, such as cyber-attacks. It also requires that entities respond in a timely manner to data breaches or other security incidents.
Meanwhile, the Security Legislation Amendment (Critical Infrastructure) Act 2021 requires entities, including banks, to maintain a register of critical infrastructure assets and adhere to the mandatory reporting of any cyber security incidents. But is this enough?
While the frameworks and guidelines we have in Australia are a starting point, we only need to look to the US to see why Australian businesses, especially important ones like financial services, need to do more and be proactive in adopting stronger phishing resistant security methods.
Though not specific attacks in the financial industry, the recent high profile security breaches and incidents like SolarWinds and the Colonial Pipeline hack were a wake-up call for the US government last year.
Subsequently, in May 2021, President Biden released an executive order mandating all US government agencies to implement MFA within 180 days. Then, in September 2021, the US government issued its Draft Zero Trust Strategy, which requires Federal agencies to only use multi-factor authentication that is phishing resistant.
Moves like these are setting a precedent for the world and ultimately highlight the significance of incorporating MFA technologies and Zero Trust strategies within the financial industry to prevent future attacks.
Phishing resistant MFA, based on public/private key cryptography, significantly reduces the attacker's ability to intercept and replay access codes as there are no shared codes. The authentication action can only occur between the user's device and the specific site they are going to.
What solution is available?
One recommended method to combat phishing attacks is to use a hardware security key – it requires the user's presence and proof of possession to gain access or log in.
Hardware security keys don't require a network connection, don't need battery power, and don't store data, making them an ideal option for strong phishing resistant authentication. In addition, hardware security keys provide a better user experience than legacy 2FA and MFA because users can log in with a single touch or tap on the security key.
The increase in sophisticated cyberattacks highlights the fundamental change needed to our approach to information security and why the financial sector should have phishing resistant MFA as part of its systems and procedure.
Will the adoption of phishing resistant MFA be proactively deployed by financial institutions? Or, as happened in the US, will it take a major data breach to force governments to mandate it?
This is an opportunity for the banking and financial services sector to take a leadership position in the industry and proactively tighten guidelines on authentication processes to avoid a costly business lesson.