In a recent release, the Financial Industry Regulatory Authority (FINRA) provided insight into the increasing frequency of occurrences of Account Takeover (ATO) within the financial industry. The report also produced guidance for organizations looking to tighten their cybersecurity, but no direction was provided regarding the growing issue of password hygiene.
When hackers gain unauthorized access to accounts by obtaining users’ credentials, it’s referred to as Account Takeover (ATO). Hackers are then able to target networks, company systems, and financial accounts. ATO is on the rise and now accounts for a third of all targeted account attacks and suspicious activity reports (SARs).
According to the FINRA summary, ATOs are frequently attempted through “common attack methods such as phishing emails, social engineering attempts, and other fraudulent options” as well as “a large number of stolen customer login credentials available for sale on the dark web.” To go from any one of these attack vectors to financial impact can be an easy task for bad actors. All they need is a single set of credentials to gain an initial foothold, and then they can deploy malware, gain access privileges… and wreak havoc.
In response to growing concerns about online Account Takeover attempts and potential ACAT transfers, FINRA recently released guidance to help firms combat it by implementing measures because the protection of customer account information and identity is central to FINRA’s function and to fulfill their regulatory obligations. Some of the information released was educational, and it’s encouraging to see movement in the direction of recognizing ATO as a massive threat to financial crimes. However, as Enzoic points out in Credit Union Times, the guidance contained an omission that couldn’t be overlooked by financial institutions.
The reality is that organizations need to know whether the credentials they accept are already compromised at the time of use. No matter how many authentication methods are layered on, after a fraudulent user has obtained an account, the damage has likely been done. The hacker already has access to the personal information contained within the account.
The primary reason ATO attacks are so successful is due in great part to password reuse. At least 65% of people reuse passwords across multiple, if not all, of their accounts. With the number of wide-scale data breaches happening hour by hour, it’s essentially a matter of time until most credentials are posted online. This is why it is extremely important to check passwords against a constantly updated list of compromised credentials.
Within any industry, it’s important to be realistic about user behavior because it’s quite unlikely that people will change their approach to password management. NIST now recommends organizations drop the overly complex password requirements. Data has shown that when forced to create a password with arbitrary character requirements, users are likely to create weaker passwords. They are more likely to reuse their passwords once they have a preferred one that seems to satisfy all the requirements. For example, someone might think that variations on the ‘password’, like “P@ssword1” are safe and unguessable. Unfortunately, computers are way ahead of us in those capacities and such easy credentials are certainly available for purchase on the dark web.
Instead, NIST recommends that organizations screen passwords against blacklists containing commonly used and compromised credentials on an ongoing basis.
Screening out already-exposed passwords is one of the most efficient methods of preventing ATO because it addresses the problem as early as possible, typically within a short timeframe. Additionally, there are credential-screening software solutions that also assist in minimizing user friction during the onboarding process. Password screening happens in the background, so there is no interruption to the user experience unless the credential is or has become compromised. At that point, organizations can tailor and automate the appropriate action, whether it’s forcing the user to change their password immediately or using a pre-established secondary authentication method to confirm their identity.
The FINRA report did summarize effective practices for the validation of a customer’s identity: adaptive authentication, multifactor authentication (MFA), and supplemental authentication methods like SMS and phone calls, along with additional information to bolster security measures.
Most of the techniques are potentially useful, but none are a magic bullet. Take, for example, MFA, which relies on an additional factor to grant access to the account. While theoretically very useful, studies have documented that people do not proactively enable MFA even when given the option, most likely because of the friction it causes in the customer experience. Similarly, other suggestions like SMS text message codes and geolocation have both been shown to be easily compromised—and neither method is recommended by NIST.
FINRA’s regulatory notice is not incorrect, but it’s missed the opportunity to give compromised credentials the priority they deserve. When deployed the right way, the FINRA recommendations could certainly help protect businesses from ATO attacks and potential fraud—but only if the base layer of password security is firmed up.
Prevent account takeover fraud with zero false positives and no added friction to the user experience.
Learn More