Community
Today, securing digital identities is more important than ever. It is estimated that the average American internet user has more than 150 online accounts that require passwords. As the pandemic keeps many of us at home, that number likely increased as people adapted to living much of their lives online. COVID-related bank branch closures triggered an uptick of 60 percent in downloads of financial mobile apps, new mobile banking registrations have jumped 200 percent, and mobile banking traffic has risen 85 percent – and online fraud increases right along with it, as criminals find opportunity in chaos.
A 2020 breach exposure report has revealed that more than 2.9 million pairs of emails and passwords for employees at Fortune 1000 financial sector companies are in the hands of cybercriminals. That’s an alarming number, given the volume and sensitivity of information associated with the industry and the fact that for the fourth year in a row, using stolen credentials was the number one hacking tactic for criminals to gain unauthorized access to “secure” enterprise networks.
While security teams at financial institutions go to great lengths to keep corporate accounts and networks secure, problems arise when employees use their company credentials across other personal accounts. SpyCloud research shows that 77 percent of employees at the world’s largest financial services companies have reused passwords across corporate and personal accounts.
New breaches happen all the time, and amassed stolen credentials usually end up being shared or sold in online criminal markets. Once a criminal acquires exposed login credentials from one breach, they could potentially have the key to unlocking many more lucrative accounts protected by the same username and password. For the enterprise, the danger is when criminals acquire stolen credentials that contain a corporate email domain; it tips them off that they could potentially access the corporate network and all the valuable data within.
A False Sense of Security
As long as passwords exist, the problem of reuse will continue. There are additional steps that companies can take to shore up security and fraud prevention, but there will always be a human factor and sophisticated cybercriminals who will find a way in. Multi-factor authentication (MFA) can be bypassed, biometrics can be stolen, browsers can be spoofed, and users can be tricked into leaking their credentials through phishing and social engineering.
Many organizations use SMS text messaging for MFA, but criminals have figured out ways to infiltrate cellular carrier networks. With only knowledge of the victim’s cell phone company, they can perpetrate SIM swapping attacks, which transfers the victim’s phone number to their own phone, so they can then get the SMS tokens and log into services. Some criminals will intentionally do this at a time they know the target won’t be on their phone, like when they are sleeping, then swap the phone back so the victim wakes up none the wiser.
The “passwordless” future where identities are safe and breaches impossible because people will access everything through biometrics is unfortunately still a long way off. While moving to a passwordless authentication process could be more convenient for users, even with biometrics, passwords are still involved. Most applications have a fall back plan and will revert to requesting or resetting a password if a bio scan doesn’t work for some reason. Credentials are still stored, and possible for criminals to breach, even if users aren’t regularly using them to log in.
Prevent fraud and protect the business today
Security is everybody’s responsibility, but practitioners have to empower employees to take appropriate precautions and practice good password hygiene.
Ultimately, MFA and biometrics can add a layer of security, but there is no one silver bullet for shutting down account takeover attacks. The best strategy is a layered approach that keeps criminals guessing, encourages employees to practice proper password hygiene, and allows security teams to quickly take action when accounts are compromised.
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Ritesh Jain Founder at Infynit / Former COO HSBC
08 January
Steve Haley Director of Market Development and Partnerships at Mojaloop Foundation
07 January
Nkahiseng Ralepeli VP of Product: Digital Assets at Absa Bank, CIB.
Sergiy Fitsak Managing Director, Fintech Expert at Softjourn
06 January
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.