FINRA Guidance Misses the Security Mark

Account takeover (ATO), in which hackers gain unauthorized access to digital accounts by obtaining users’ credentials, is on the rise in the financial services sector, accounting for 32% of all targeted account types as shown in a recent report from Security.org and Deduce. The repercussions of these attacks are numerous – downtime, customer attrition and reputational damage, to name just a few. There’s also a significant financial impact, as 89% of financial institution executives point to ATO as the most common cause of losses in their digital channel.

In response to these and other factors, FINRA recently released guidance to help firms combat ATO. While it’s encouraging that the organization wants to educate on the ATO threat, the recent summary contains a glaring omission: Namely, how organizations can ensure that credentials aren’t already compromised at the time of use. This is particularly relevant given the fact that compromised credentials from third-party data breaches is noted as the primary cause of ATO.

Stepping back, the primary reason ATO attacks are so successful is due to password reuse. According to a recent Google survey, 65% of people reuse passwords across multiple, if not all, accounts. With data breaches occurring on an ongoing basis, there is a very real chance that this information is exposed or, if not, that it will be in the foreseeable future. As such, screening credentials at their creation and continuously monitoring their integrity thereafter should be included in any modern ATO security strategy.

Combatting ATO Without Sacrificing the Consumer Experience

In light of the considerations outlined above, it’s concerning that the FINRA guidance doesn’t include screening for compromised credentials. Equally worrisome is that many of the recommendations they do include have weaknesses and introduce considerable friction into the consumer experience, making them difficult to adopt.

One of these is the use of multi-factor authentication (MFA), which relies on an additional factor in order to grant access to the account. This recommendation certainly sounds reasonable on paper, but numerous studies have documented that people do not proactively enable MFA even when given the option. Case in point, Microsoft reports just an 11% MFA adoption rate among its enterprise cloud users. And even when MFA is enabled, this doesn’t remove the necessity of keeping the password layer secure.

Ultimately, there is no quick fix for ATO security concerns. While FINRA outlines a number of supplemental authentication factors, it’s important to ensure each layer is properly secured as much as possible. Among FINRA’s recommendations are the following:

• SMS text message codes: These have been shown to be easily compromised and, as a result, are no longer recommended by the National Institute of Standards and Technology (NIST).
• Geolocation information: These can be easily spoofed and also can deliver false positives.
• Biometrics: Biometrics have been hailed as an answer to many password security problems. However, this authentication strategy is far from bulletproof, as many desktop and laptop computers don’t have biometric readers and therefore can’t support the technology.
• Phone call verification: This avoids many of the security vulnerabilities outlined above but is often perceived by users as frustrating and cumbersome.
• Third-party authenticator apps: This is a relatively secure authentication factor but introduces a significant amount of friction that makes it impossible to require.

Too Little, Too Late?

Another issue with FINRA’s ATO guidance centers on the timing of the security check. Many of the authentication factors are recommended to confirm identity based on the risk associated with the respective activity – for example, initiating a money transfer or checking an account balance. While useful, this fails to address the fact that, if the account has been compromised, hackers will already have access to the sensitive personally identifiable information (PII) contained within the account.

The Password Imperative

This brings us back to the critical importance of securing account credentials. It’s unrealistic to expect people to change their approach to password management and it’s also a poor security practice to enforce overly complex password requirements. This is because human factors often lead to security vulnerabilities when users are forced to create a password that aligns with specific complexity requirements. For example, when asked to include special characters and numbers, a user might select something basic such as “P@ssword1” – a credential that is guaranteed to be on a list of exposed passwords available to hackers on the Dark Web.

In light of these factors, the responsibility for password security ultimately lies with the financial firm. This is why it’s so important to include credential screening as part of a layered approach to cybersecurity. NIST recommends that organizations screen passwords against blacklists containing commonly used and compromised credentials on an ongoing basis. This shifts the focus from the relatively arbitrary metric of password “strength” to the much more critical question of its integrity.

Because password screening happens in the background, there is no interruption to the user experience unless the credential is or becomes compromised. At that point, firms can automate the appropriate action, whether it’s forcing a password reset or using an existing secondary authentication method to confirm the user’s identity. Because these actions are in response to a credential compromise, users are much more tolerant of any related friction than if it were being used simply to grant access to the account, such as is the case with third-party authenticator apps and the other supplemental authentication factors recommended by FINRA.

This is not to suggest that FINRA’s ATO guidance is incorrect. When deployed the right way, the recommendations could certainly help protect firms from these attacks – but only if the proper steps are also taken to shore up password security. With ATO poised to remain a primary threat vector for the financial services industry, credit unions must take swift action to mitigate the risk. In order to truly ensure that member accounts are protected against ATO attempts, it’s critical that they include credential screening as part of their layered approach to credential security.

Josh Horwitz is COO for the Boulder, Colo.-based cybersecurity company Enzoic.