In late 2023, the U.S. subsidiary of the Industrial and Commercial Bank of China was hit with ransomware, creating a ripple effect across the U.S. Treasury market. In February 2024, Bank of America reported a breach impacting 57,000 account holders related to a compromise with a third-party software provider. And as recently as June, a ransomware attack on the US Federal Reserve targeted Evolve Bank where attackers leaked 33 Tb worth of sensitive data from thousands of customers. All of these attacks have one thing in common: they’re tied to LockBit, one of the most prolific organized cybercrime groups, known for its ransomware toolkits and a history of exploiting credentials. Despite a coordinated takedown that was years in the making, LockBit continues to be a significant threat.

For the financial sector, which surpassed healthcare as the most breached industry and most attacked industry in 2023, these cyber risks and trends are a top concern. While it may seem that threat actors are quick to find new points of attack to take organizations down, the reality is old tactics like phishing are extremely successful: 80% of all cyber attacks are a result of stolen login credentials.. These attacks are harder to spot, often backed by advanced AI systems that scrape the internet to make these campaigns more effective. And they work. 

Today, most attacks (74%) can be tied to the human element, including the use of stolen credentials, privilege misuse and phishing. According to reports individuals working in finance are the second most likely to open a phishing email. Unfortunately, generative AI (genAI) will only accelerate these trends. While there are known benefits of generative AI, bad actors can use AI to their benefit by writing customized phishing emails on a massive scale or placing scam phone calls to thousands of people at once. By automating the most time, skill, and labor-intensive parts of running phishing campaigns, generative AI is making it possible to dramatically increase the number of attacks and lowers the bar for less capable attackers to get involved with phishing. As FTC Chair Lina M. Khan recently noted, the agency is already seeing AI used to “turbocharge” fraud and scams, impersonating individuals with “eerie precision and at a much wider scale.”

While phishing attacks may become harder to spot, the anatomy of a phishing attack is always the same: an attacker sends an email or text message to a user who has access to corporate systems, tricking the user into entering their password or second-factor one-time passcode (OTP) into the phishing website, providing the attacker with valid credentials they can use to access the system directly, to further compromise other users, or to deploy malware or ransomware.

These attacks expose individual banks, credit unions, investment firms and credit card organizations to potential loss of consumer trust, financial risk and threat of regulatory action, but they also can also lead to more systemic operational disruptions.  

 

Tighter security regulations draw focus to adopting modern, phishing-resistant authentication solutions

Effective cybersecurity is about solving the right problems at the right time. There are hundreds of recommended actions across the top regulatory security bodies – a lot of it conflicting or dated – so it is easy for security advice to feel burdensome or get out of sync with the current threat landscape. However, we’re seeing new and revised regulations take note of today’s threats and the risks related to human interactions between employees, third-parties, customers and the systems with which they interact.

The latest revision to PCI DSS 4.0 speaks to the need to ensure digital identities are tied to individuals, to prove that identity at regular intervals, and to implement strong multi-factor authentication (MFA) in line with best practices. Both the FTC and PCI DSS 4.0 speak to the need for MFA in line with NIST Special Publication 800-63’s definition of phishing-resistant MFA – which includes FIDO2/WebAuthn-based authentication or a  Smart Card.  

Across financial services, account lockouts due to phishing and credential theft demonstrate the need (and requirement) for strong, phishing-resistant MFA. However, PCI DSS goes one step further and acknowledges (in Section 12) the requirement to ease the reliance on human knowledge, asking for consideration of how users interact with systems and how to make authentication as easy as possible. This question is particularly important when we consider authenticating to shared workstations in call center and retail banking environments or re-authenticating for access to sensitive data or to complete high-risk transactions. 

When thinking about an authentication solution, it is important to consider a solution that is user-centric, strongly tied to identity, and phishing-resistant. All of these considerations point toward establishing an authentication strategy that opens the door to a passwordless future. 

 

Strong, modern authentication is a cornerstone to the passwordless future 

Eliminating the use of traditional passwords and legacy MFA tools like one-time passcodes (OTPs) should be the end goal of any authentication program for organizations. Every company is at a different marker on the journey to passwordless, often held back by legacy systems, hardware or third-parties who don’t yet support modern authentication. But every move away from passwords and legacy MFA is a move in the right direction. 

With recent advancements in passwordless—and new on-device authentication solutions—the way an organization can establish and manage a user’s identity credential throughout its lifecycle has evolved to address these increasing challenges. In order to truly prevent phishing attacks, organizations must do more than just invest in phishing-resistant authentication—they must instead focus on developing phishing-resistant users. Moving beyond the technology of phishing-resistant MFA to focusing on the end user is key to creating phishing-resistant users who are protected with authentication that travels seamlessly with them, across devices, platforms and scenarios.

Phishing-resistant MFA leveraging the FIDO2/WebAuthn standard, such as physical security keys like the YubiKey, is the first step in meeting today’s complex regulatory requirements and shutting down phishing attacks. Once there, organizations are poised to leverage FIDO2 passwordless-enabled credentials, now known as passkeys, to support passwordless— eliminating all passwords during login and across the authentication lifecycle. Device-bound passkeys like the YubiKey enable organizations to foster phishing-resistant users by securing all aspects of the online user account lifecycle including onboarding, authentication and account recovery. 

For more about the latest requirements for PCI DSS 4.0, we welcome you to check out our recent webinar. Learn how to accelerate financial services from legacy MFA to modern passkey authentication in our other webinar here, as well as our whitepaper here for more insights into staying ahead of modern cyber threats.

The post Adapting to new cybersecurity regulations and addressing evolving threats within financial services appeared first on Yubico.

—————-

VaultumCity is the best trusted place to select and buy your best Yubikeys, Vaultumcity free ship all yubikeys, Vaultumcity is reseller distributor of yubikeys so you can find cheapest best yubikey in Vaultumcity. If you are looking for best Yubikeys in Singapore at VaultumCity website online store.

The shop that sells yubikeys is https://vaultumcity.com/product-category/yubikey/

Our delivers are from Singapore, distribute globally. Buying Yubikey in Vaultum to have best customer and after sales services. All Yubikeys sold at Vaultumcity are quality guaranteed. Please place a large amount order to have great discount for reseller. Contact Vaultumcity at https://vaultumcity.com/contact/ whenever you have any issue with your yubikeys. Buying yubikeys at Vaultumcity to have best newest yubikeys free shipped to your door, FIDO2 U2F SECURITY KEY C NFC, FIDO2 U2F SECURITY KEY NFC, YubiKey 5 Nano, YUBIKEY 5 NFC, YubiKey 5C, YubiKey 5C nano, YubiKey 5C NFC, YUBIKEY 5Ci, YubiKey Bio – FIDO Edition. Yubikeys are best most secure tools for two-factor authentication. You can also buy yubikeys form Malaysia, Yubikey Malaysia is being sold at Vaultumcity with great price and free ship, you have it fastest, just in few days because we’re here in Singapore.

If you are looking for yubikeys in Indonesia, Vaultumcity is a great place to buy yubikey Indonesia, you can have yubikeys to protect your logins in just few days. Vaultumcity ship your yubikeys to your home in Thailand, to help ensure your data is safe and secured.

What about South Korea, Vaultumcity bring your yubikeys to your home in South Korea free-shipped.

Vaultumcity also delivers yubikeys to Japan, any province or city to your hands. Check out and grab your best suited yubikey today at VaultumCity.

Disclaimer: This article is sourced from the official Yubico website. As official partners of Yubico, we have obtained permission to utilize both articles & resources for further updates with regards to Yubico’s products.