Authentication Security in the Financial Sector: 2022 Report | HYPR

As the sector most targeted by attacks and one of the most closely watched by regulators, financial organizations are generally strong proponents of cybersecurity innovation. Yet we continue to hear about attacks that bypass protocols protecting authentication and access to financial institution services and systems. Last month, Flagstar Bank announced that the hackers had won unauthorized access to their networks and more than 1.5 million customer files.

To gain new insights into the financial industry‘s authentication security posture, HYPR commissioned the State of Authentication in the Financial Industry report. Conducted by independent research firm Vanson Bourne, the report is based on interviews with 500 IT and security decision makers in the financial services industry. The findings reveal that the authentication methods used by banks and other financial services organizations are causing security vulnerabilities, budget pressures, and overall operational disruptions.

Financial organizations face ongoing and ever-evolving cyber threats

Almost all (94%) financial services organizations surveyed experienced some type of attack in the past 12 months. Phishing was the most prevalent, followed by credential stuffing and malware attacks. These were closely followed by the threat of push notification attacks. Called a few times Bombing at MFA prompt, push attacks specifically target push notifications used by many authenticators. It’s a technique favored by modern hacking groups, including Lapsus$, which recently breached Okta, Microsoft, Samsung, and others.

Ransomware continues to be a frequent attack payload: 34% of financial services organizations surveyed were impacted by ransomware attacks over the past 12 months.

Authentication practices creating risks

While not all attacks were successful, 85% of organizations experienced cyber breaches as a result of these attacks, and nearly three-quarters were breached multiple times. For many, the consequences have been severe, ranging from loss of customers to a competitor, to loss of employee and customer data, to regulatory fines.

Other industry reports, including the latest Verizon DBIR, point to credential issues as the top attack vector in the financial industry. It’s no surprise, then, that 80% of organizations surveyed experienced at least one breach related to weak authentication. Bank authentication methods were among the most vulnerable, with 90% of small banks (

More worryingly, 63% of organizations that were hacked did nothing to change their security protocols for authentication and access to financial institution services and systems.

False sense of security

The inaction can be explained by an apparent lack of awareness that current authentication practices put financial organizations at risk. The report identifies multiple gaps between perceived levels of authentication security and the actual security of authenticating and accessing financial institutions‘ services and systems. The vast majority of respondents (90%) said their current authentication approach is completely or mostly secure, despite the large number of people experiencing authentication-related breaches.

Confidence in security levels is also contradicted by the large proportion of respondents who admit that their employees use traditional and insecure authentication methods such as password managers, SMS and OTPs. Incredibly, almost a quarter only use usernames and passwords in some cases.

Traditional MFA vs Phishing Resistant MFA

This paradox can be attributed to the continuing confusion regarding traditional MFA. Once considered best practice, many modern attacks can bypass traditional MFA, making it much less effective as a defensive measure. One example is the $34 million stolen this year from cryptocurrency exchange after hackers bypassed their MFA controls.

Such attacks have prompted calls from various regulatory agencies, including the United States Cybersecurity and Infrastructure Security Agency (CISA), for the use of MFA that can resist phishing and other attack methods. Yet awareness of this is either low or ignored among IT security decision makers in financial services organizations. The vast majority of respondents (84%) believe that traditional MFA offers complete security.

Even more surprisingly, although financial organizations list the insecure methods they use for authentication and access to services and systems, almost half (47%) believe that phishing-resistant multi-factor authentication is the key to their authentication strategy and an additional 51% think it plays. apart.

This confusion highlights the need for better education and training around which authentication methods are and are not phishing. Otherwise, the authentication methods used by banks and other financial services organizations will continue to lead to breaches.

Passwordless MFA is the way to go

One bright spot is that financial organizations are realizing how to fix their authentication flaws. Of IT and security professionals surveyed, 89% understand that passwordless MFA authentication is necessary to achieve the highest level of authentication security and the same number say it improves the experience user. Additionally, 90% agree that it offers cost advantages over traditional authentication methods. Factors such as password fatigue, productivity impacts, help desk costs, and meet cyber insurance requirements were named as the main drivers of adoption.

Download the State of Authentication in Finance report

As the financial industry continues to transform its operations and business models, organizations face dynamic and unprecedented security risks. Rapid digitization, interconnection with third-party systems, migration to the cloud, and changing working models are all opening up new attack vectors.

The greatest area of ​​vulnerability remains the protocols protecting authentication and access to financial institutions’ services and systems. Fortunately, technologies already exist to solve this problem. MFA HYPR True Passwordless™ meets the gold standard for phishing resistance as defined by the OMB and CISA and enables financial services organizations to get the security assurance and frictionless experience they need.

To learn more about the current state of authentication in the financial industry, download the report.

*** This is a syndicated blog from the HYPR Blog Security Bloggers Network written by Shelley Leveson, Director of Content Marketing, HYPR. Read the original post at:

Comments are closed.