The Password Problem in Financial Services

Today, securing digital identities is more important than ever. It is estimated that the average American internet user has more than 150 online accounts that require passwords. As the pandemic keeps many of us at home, that number likely increased as people adapted to living much of their lives online. COVID-related bank branch closures triggered an uptick of 60 percent in downloads of financial mobile apps, new mobile banking registrations have jumped 200 percent, and mobile banking traffic has risen 85 percent – and online fraud increases right along with it, as criminals find opportunity in chaos.

A 2020 breach exposure report has revealed that more than 2.9 million pairs of emails and passwords for employees at Fortune 1000 financial sector companies are in the hands of cybercriminals. That’s an alarming number, given the volume and sensitivity of information associated with the industry and the fact that for the fourth year in a row, using stolen credentials was the number one hacking tactic for criminals to gain unauthorized access to “secure” enterprise networks.

While security teams at financial institutions go to great lengths to keep corporate accounts and networks secure, problems arise when employees use their company credentials across other personal accounts. SpyCloud research shows that 77 percent of employees at the world’s largest financial services companies have reused passwords across corporate and personal accounts. 

New breaches happen all the time, and amassed stolen credentials usually end up being shared or sold in online criminal markets. Once a criminal acquires exposed login credentials from one breach, they could potentially have the key to unlocking many more lucrative accounts protected by the same username and password. For the enterprise, the danger is when criminals acquire stolen credentials that contain a corporate email domain; it tips them off that they could potentially access the corporate network and all the valuable data within.  

A False Sense of Security

As long as passwords exist, the problem of reuse will continue. There are additional steps that companies can take to shore up security and fraud prevention, but there will always be a human factor and sophisticated cybercriminals who will find a way in. Multi-factor authentication (MFA) can be bypassed, biometrics can be stolen, browsers can be spoofed, and users can be tricked into leaking their credentials through phishing and social engineering.

Many organizations use SMS text messaging for MFA, but criminals have figured out ways to infiltrate cellular carrier networks. With only knowledge of the victim’s cell phone company, they can perpetrate SIM swapping attacks, which transfers the victim’s phone number to their own phone, so they can then get the SMS tokens and log into services. Some criminals will intentionally do this at a time they know the target won’t be on their phone, like when they are sleeping, then swap the phone back so the victim wakes up none the wiser. 

The “passwordless” future where identities are safe and breaches impossible because people will access everything through biometrics is unfortunately still a long way off. While moving to a passwordless authentication process could be more convenient for users, even with biometrics, passwords are still involved. Most applications have a fall back plan and will revert to requesting or resetting a password if a bio scan doesn’t work for some reason. Credentials are still stored, and possible for criminals to breach, even if users aren’t regularly using them to log in.

Prevent fraud and protect the business today

Security is everybody’s responsibility, but practitioners have to empower employees to take appropriate precautions and practice good password hygiene.

• Provide Password Managers – Providing a password management solution for employees will encourage them to create unique, complex passwords for all the services they use. Since risk associated with password reuse is especially high outside the corporate environment, make password managers accessible to your employees for personal accounts as well.

• Drop Ineffective Processes – Requiring users to change their password every 90 days will only drive people to recycle passwords or simply change one character, thinking it is safe. Instead of providing this false sense of security, educate users on the risks associated with criminal activity and provide guidelines for creating strong passwords.

• Continuously monitor credentials and PII – Knowing when your credentials have been exposed by a breach is critical to stopping criminals before they have a chance to act. There are services available that will continuously check whether your credentials, or credentials of your employees, show up in third-party breaches, allowing you to secure accounts before criminals monetize those credentials at the cost of your business and customers.

Ultimately, MFA and biometrics can add a layer of security, but there is no one silver bullet for shutting down account takeover attacks. The best strategy is a layered approach that keeps criminals guessing, encourages employees to practice proper password hygiene, and allows security teams to quickly take action when accounts are compromised.