Financial firms are failing to strengthen their authentication technologies, even after a breach, according to research into the industry.
As many as four in five financial services organizations had experienced a breach where authentication weaknesses was a factor. However, 63% failed to update their authentication systems after the attack.
According to the report by Vanson Bourne – The State of Authentication in the Finance Industry – 85% of financial services firms had experienced a breach, and 72% had been attacked more than once. Yet the survey found that almost all victims (90%) felt their existing authentication methods were good enough.
The survey of 500 IT security and data management professionals across banking, insurance, wealth management, investment and fintech found that phishing was the most common type of attack, cited by 36% of those surveyed. Malware and credential stuffing accounted for 31% of attacks and push notifications, a further 29%.
The research puts the annual direct cost of authentication-related breaches at an average of $2.19m; this excludes hidden and intangible costs. In addition, a third of firms said they had lost customers to competitors as a result. Nearly a third (29%) admitted they had lost employee data, and 26% had suffered a customer data breach.
The findings come at a time when financial services is the industry sector most targeted by cyber-criminals. Even so, researchers found that a significant minority of organizations use older authentication methods such as SMS and one-time passcodes (OTPs). Worryingly, a further 22% still rely on usernames and passwords.
“As one of the most targeted sectors for attack, financial services companies have an impressive track record of adopting new, innovative defense technologies,” said David Reilly, a security and financial services advisor and former CIO and CTO at Bank of America.
“While improvements in perimeter, network and behavioral analytics have advanced, authentication security has not moved at the same pace… Eliminating the static password risk is the strategic path forward.”
Firms that fail to update their authentication methods are leaving themselves open to further attack, warned Bojan Simic, co-founder, CEO and CTO of passwordless authentication vendor and survey sponsor HYPR.
“The data clearly shows that these methods don’t provide enough protection, leaving organizations exposed to unacceptable risk. At the same time, the scale of attacks and malicious strike techniques are rapidly growing, widening this vulnerability gap,” he said.