Article by Yubico APJ vice president, Geoff Schomburgk.
With the volume of money handled by the finance industry on any given day, it’s no wonder that it is a prime target for cybercriminals. Whilst security in finance is generally better than in other sectors, cybercriminals continue to evolve their methods with the intent to access sensitive data. Moreover, as cybercriminals get more sophisticated, banks and financial institutions are challenged to keep their critical IT systems secure from unauthorised access.
Since the start of the pandemic, financial services institutions have been disproportionately targeted by cyberattacks, representing 25.3% of all attacks, according to a Bank for International Settlements Bulletin.
It is estimated that the average cost of a data breach in financial services is USD$5.72 million, but this doesn’t take into account the loss of trust, reputation and long term costs of recovery in setting up new processes to avoid this taking place again.
Since the onset of the pandemic, more end users have been using online and mobile channels for their banking needs, and more employees and executives are working from home. This has caused the number of potential victims of cyberattacks to skyrocket.
According to COVID Crime Index 2021, 42 per cent of banks surveyed say the shift to home office work at their institution has led to a decline in IT security.
Maintaining secure access to systems requires strong authentication for all users. Legacy authentication methods, such as username and password combination or mobile two-factor authentication (2FA), are often used to connect the home office end device to the IT systems.
While financial institutions were early adopters of 2FA, these legacy solutions are now highly vulnerable to account takeovers, phishing, malware, SIM swapping, and man-in-the-middle attacks.
An opportunity to be proactive in managing a costly threat
Financial entities are fully compliant with IT security, data protection requirements and international mandates and directives for payment services and customer data, such as the Payment Card Industry Data Security Standard (PCI DSS) and General Data Protection Requirements (GDPR), but there is still a need for improvement.
The Australian Prudential Regulation Authority (APRA) governs publicly listed banks and financial institutions and provides guidelines outlining information security requirements in Australia.
The CPS 234 Information Security (CPS 234) is one APRA standard aiming to ensure that an APRA-regulated company takes measures to manage information security incidents, such as cyber-attacks. It also requires that entities respond in a timely manner to data breaches or other security incidents.
Meanwhile, the Security Legislation Amendment (Critical Infrastructure) Act 2021 requires entities, including banks, to maintain a register of critical infrastructure assets and adhere to the mandatory reporting of any cyber security incidents. But is this enough?
While the frameworks and guidelines we have in Australia are a starting point, we only need to look to the US to see why Australian businesses, especially important ones like financial services, need to do more and be proactive in adopting stronger phishing resistant security methods.
Though not specific attacks in the financial industry, the recent high profile security breaches and incidents like SolarWinds and the Colonial Pipeline hack were a wake-up call for the US government last year.
Subsequently, in May 2021, President Biden released an executive order mandating all US government agencies to implement MFA within 180 days. Then, in September 2021, the US government issued its Draft Zero Trust Strategy, which requires Federal agencies to only use multi-factor authentication that is phishing resistant.
Moves like these are setting a precedent for the world and ultimately highlight the significance of incorporating MFA technologies and Zero Trust strategies within the financial industry to prevent future attacks.
Phishing resistant MFA, based on public/private key cryptography, significantly reduces the attacker’s ability to intercept and replay access codes as there are no shared codes. The authentication action can only occur between the user’s device and the specific site they are going to.
What solution is available?
One recommended method to combat phishing attacks is to use a hardware security key – it requires the user’s presence and proof of possession to gain access or log in.
Hardware security keys don’t require a network connection, don’t need battery power, and don’t store data, making them an ideal option for strong phishing resistant authentication. In addition, hardware security keys provide a better user experience than legacy 2FA and MFA because users can log in with a single touch or tap on the security key.
The increase in sophisticated cyberattacks highlights the fundamental change needed to our approach to information security and why the financial sector should have phishing resistant MFA as part of its systems and procedure.
Will the adoption of phishing resistant MFA be proactively deployed by financial institutions? Or, as happened in the US, will it take a major data breach to force governments to mandate it?
This is an opportunity for the banking and financial services sector to take a leadership position in the industry and proactively tighten guidelines on authentication processes to avoid a costly business lesson.
Article by Yubico APJ vice president, Geoff Schomburgk.
VaultumCity is the best trusted place to select and buy your best Yubikeys, Vaultumcity free ship all yubikeys, Vaultumcity is reseller distributor of yubikeys so you can find cheapest best yubikey in Vaultumcity. If you are looking for best Yubikeys in Singapore at VaultumCity website online store.
The shop that sells yubikeys is https://vaultumcity.com/product-category/yubikey/
Our delivers are from Singapore, distribute globally. Buying Yubikey in Vaultum to have best customer and after sales services. All Yubikeys sold at Vaultumcity are quality guaranteed. Please place a large amount order to have great discount for reseller. Contact Vaultumcity at https://vaultumcity.com/contact/ whenever you have any issue with your yubikeys. Buying yubikeys at Vaultumcity to have best newest yubikeys free shipped to your door, FIDO2 U2F SECURITY KEY C NFC, FIDO2 U2F SECURITY KEY NFC, YubiKey 5 Nano, YUBIKEY 5 NFC, YubiKey 5C, YubiKey 5C nano, YubiKey 5C NFC, YUBIKEY 5Ci, YubiKey Bio – FIDO Edition. Yubikeys are best most secure tools for two-factor authentication. You can also buy yubikeys form Malaysia, Yubikey Malaysia is being sold at Vaultumcity with great price and free ship, you have it fastest, just in few days because we’re here in Singapore.
If you are looking for yubikeys in Indonesia, Vaultumcity is a great place to buy yubikey Indonesia, you can have yubikeys to protect your logins in just few days. Vaultumcity ship your yubikeys to your home in Thailand, to help ensure your data is safe and secured.
What about South Korea, Vaultumcity bring your yubikeys to your home in South Korea free-shipped.
Vaultumcity also delivers yubikeys to Japan, any province or city to your hands. Check out and grab your best suited yubikey today at VaultumCity.
Check out our store now, buy Yubikey and start protecting your logins.