At the beginning of 2024, the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) published a report quantifying the impact of weak identity solutions on our financial system. This is the first time a federal agency has made an effort to quantify the impact of compromised credentials on the US financial system. According to the report, 1.6M cases and $212B in suspicious identity activity were identified – with $112B tied to authentication alone. It’s clear the financial services industry is under attack, and serious security improvements need to be made.
Social engineering attacks and other threats are becoming more sophisticated in a rapidly evolving technological landscape. The U.S. financial industry is already grappling with authentication challenges. According to a HYPR report from 2022, 80% of companies experienced a breach related to a weakness in authentication. Companies and the government must work together to reduce the instances and risks of financial crimes and find the right solutions to improve identity verification.
Read More on Fintech : Global Fintech Interview with Sadra Hosseini, CEO at Ryft
The challenge
Weak user authentication methods are still commonly used by the financial sector, with passwords serving as the primary line of defense despite their vulnerability to cyber threats. Passwords have enormous shortcomings not only from a security perspective but also from a convenience perspective.
Many passwords are reused and easy to guess, making them easy to steal. According to a Google Harris Poll, two-thirds of Americans use the same password across multiple accounts. For passwords to be secure, they must be different for every application and difficult to guess; however, it’s no secret that this impacts user convenience. Remembering and keeping track of many complex passwords is challenging and bothersome for the average user. Alternate solutions, such as one-time passwords delivered via SMS, can help with the end-user’s experience.
Though they are useful, one-time passwords may pose security risks as well. SMS messaging can be easily intercepted by malware residing on users’ mobile phones or through vulnerabilities in the Signaling System 7 (SS7) protocol, which mobile networks use to exchange information and perform various functions, such as SMS messaging. As social engineering attacks become increasingly sophisticated, SMS and some other multi-factor authentication tactics are becoming obsolete. To truly remain secure, more stringent identity verification and authentication solutions are needed across the financial sector, coupled with new federal regulations mandating phishing-resistant authentication.
Striking a balance between security and convenience
As the need for more stringent security solutions grows across the industry, financial institutions mustn’t lose sight of the need to also prioritize user experience and convenience. Certain security measures can introduce new challenges or steps for end-users, which disrupts the fluid nature of a transaction or interaction. Thanks to phishing-resistant and passwordless authentication methods, striking a balance between security and convenience has become more accessible for the financial industry. These methods are not only more secure but also more convenient to use than passwords. Authentication methods that combine phishing resistance with passwordless solutions have the enormous benefit that even if a phishing website steals a credential, the fraudster cannot use the phished credential to log onto the genuine application. Passwordless methods can rely only on possession elements, such as a token or mobile device, and biometric elements, such as face or fingerprint characteristics.
A prime example of phishing-resistant, passwordless authentication methods are those based on the FIDO (Fast Identity Online) Alliance standards, a global industry alliance of leading tech companies, government agencies, service providers, financial institutions, payment processors, and other industries. FIDO authentication is the brainchild of the FIDO Alliance. The FIDO authentication standards aim to reduce the use of passwords and improve authentication standards on desktops and mobile devices.
In addition, continuous and adaptive authentication mechanisms help combat more advanced threats. These mechanisms monitor the user’s session and assess risk factors, such as user behavior (typing speed, the moment the user is active, etc.) and device characteristics, such as IP address and operating system version. When a risk is detected, they will dynamically adjust authentication requirements, and if the risk is high, the user will need to do more to authenticate. This type of solution, which is transparent to the user, helps to strike the important balance between security and convenience.
The need for new federal regulations
While regulations requiring phishing-resistant methods are already in place for federal agencies, financial service organizations must follow suit to uphold their reputation, maintain customer trust, and protect their bottom line. While strides have been made in enhancing cybersecurity measures for government agencies, the financial sector requires more stringent regulations. For example, the U.S. federal government has introduced regulations mandating phishing-resistant authentication for government agencies in the last couple of years, including Executive Order 14028 from May 2021 and Memorandum M-22-09 from March 2022. In comparison, the financial services sector is lagging in regulations and needs serious improvements. Introducing requirements for banks to deploy phishing-resistant authentication, in particular, is critical to the industry’s future.
Regulatory bodies in the U.S. should continue to set ambitious targets for the security level of online banking applications, which Asia, Europe, and the U.S. federal government have been doing for several years. For instance, The Federal Information Security Modernization Act (FISMA) requires federal agencies to develop, document, and implement information security programs to protect their information and information systems, including those related to online banking. Financial regulators do not need to prescribe specific solutions but set outcome-based requirements.
The alarming statistics the U.S. Treasury Department revealed this year underscore the urgent need for robust, tighter measures in the financial sector. With billions at stake and millions of cases of suspicious identity activity, it’s clear that relying on outdated methods is no longer an option. The solution lies in implementing more stringent identity verification protocols while advocating for regulatory mandates for phishing-resistant authentication. By striking a balance between security and convenience through innovative methods like passwordless authentication and continuous risk assessment, financial institutions can stay secure against evolving threats. It’s time for the financial services sector to prioritize security, uphold customer trust, and align with global standards. That’s the key to safeguarding the integrity of our financial system.
Catch more Fintech Insights : Global Fintech Interview with Kapil Kale, Co-founder and COO of Tremendous
[To share your insights with us, please write to psen@itechseries.com ]
