Research shows that a staggering 94.6% of all breaches are driven by financial motives, and hackers view financial services organizations as gold mines of sensitive data. Based on cybersecurity incidents in this sector, personal data continues to be the most desired type of data stolen in the industry.
While the rising volume of cyberattacks in financial services and across other industries could be due to increasingly sophisticated cybercriminals, this is largely a misconception. The truth is that hackers are using many of the same tactics they’ve been successfully employing for the last decade, the majority of which are aimed at exploiting user identities or compromising endpoint devices (PCs, laptops, phones, etc.). However, today’s cybercriminals have the advantage of a range of toolkits that open up hacking to “entry-level” threat actors with minimal technical skills. Bad actors also have access to generative AI and can leverage reams of open-source data about target companies, employees, and customers to create very believable phishing messages for email, SMS, and social platforms – all without the telltale grammar and spelling errors that used to help us recognize (most of) these scam messages in the past.
Common attack methods
Hackers continue to use social engineering techniques that rely more on manipulating human psychology than on technical know-how. Between these “mind game” tactics and readily available tools, today’s financially motivated hackers don’t need to be technical geniuses to be effective. They can also buy access to corporate networks and user accounts from initial access brokers who specialize in that function. Thus, adversaries don’t have to “break in”; they can simply reuse credentials they bought or phished to log in and launch ransomware attacks, steal data, or access user accounts.
Despite efforts to educate users and reduce the number of scam emails that make it to inboxes, phishing continues to be a very effective tactic. The basic premise hasn’t changed – the adversary sends an alarming message via email, SMS, or even social media that is designed to prompt receivers to click on a malicious link. These links can be leveraged for all kinds of purposes, from credential theft to installing malware on the endpoint device.
On the identity front, CrowdStrike’s 2023 Threat Hunting Report shows that 80% of breaches use compromised identities, and Verizon’s 2023 Data Breach Investigations Report indicates that stolen user credentials are the single most popular entry point for breaches.
Phishing and ransomware are the next most frequent ways attackers access organizations. On the device front, Verizon’s report lists user devices as one of the top three assets affected and manipulated in breaches.
Unfortunately, the original multi-factor authentication (MFA) designed to thwart credential-reuse attacks is becoming trivial for adversaries to bypass. This so-called legacy MFA was only effective for a while since adversaries have become adept at stealing passwords, along with MFA codes, or hijacking tokens that applications use to keep the user session open for some time. With the token or a password and MFA code combination, attackers continue to simply log in as valid users.
Further, traditional MFA was only designed to improve our ability to validate a user’s identity – it did not do anything to check that the endpoint device gaining access was secure. Therefore, the solution to the single largest attack method is modern “phishing-resistant” MFA that also checks whether the device is trustworthy. Strong MFA uses a combination of biometrics and cryptographic passkeys (defined in a standard from the Fast IDentity Online, or FIDO organization).
Modern MFA uses strong, phish-resistant factors and is architected to thwart attacker-in-the-middle tactics to steal session tokens. Modern MFA must also include the ability to check whether the device is secure before granting access. The version the U.S. Department of Homeland Security deems “optimal” can continuously validate the user identity and device trust.
Since the financial services industry is especially vulnerable to system breaches and data loss, organizations within this sector need to be extra vigilant about validating user identity and device trust. With modern MFA, security leaders can radically reduce their organizations’ vulnerability to cyberattacks, shut the proverbial front door, and focus their resources.