Financial Services is, without a doubt, an industry that has been most affected by cyber attacks, phishing scams and all types of online frauds. This is why the financial sector grew to become one of the best-protected industry on the market.
While cybersecurity technology grows, the information thieves direct their attacks in the areas that are easier to compromise. People.
Social engineering means tricking people into performing some actions or sharing information. Social engineering has become one of the most popular buzzwords in cybersecurity.
A well socially engineered attack usually involves some kind of bait or a threat usually with a call to action that requires a victim to act fast. In fact, receiving such a call or an email should always trigger a light bulb in a person that something may be wrong. This kind of attacks usually result in a victim passing entering some classified resources or passing some sensitive information to an attacker.
Attacks on C-level executives so-called whaling phishing attacks are much more difficult to prepare and often takes months to plan and execute.
Attacks on lower level employees, that seemingly should be less dangerous can also bring great damage to the business, so that’s why they are still way more popular and effective.
In banks, insurance companies and financial institutions people working in sales have access and work with sensitive data every day. A insurance agent, a home broker, and financial advisor, they all work with sensitive data such as sales levels and commissions. They also frequently perform sensitive operations on customer profiles.
The Pareto principle works great here. 20% of the information that a user has access to can potentially cause 80% of problems caused to leaks and thefts.
In the vast majority of companies, the access is granted to either all or nothing. There are no easily applicable mechanisms that can help company security monitor and supervise access to extra sensitive information.
Therefore there are many ways in which things can go wrong.
Let’s assume now that Anna works in a bank as a sales rep. She’s not able to accomplish her sales goals to get commission so she’s finding a way around it. She decides to share her account with some other sales agent that has the same problem, get a commission for one agent and then, under the table, split it between them.
Some of the performed actions can be potentially dangerous, some can be illegal and some are simply worth tracking to be able to make some concious decisions and improvements. Regardless of the scenario normally the financial institutions don’t have at hand solutions that can be quickly introduced to fix these risks.
The annoying thing about data security was always the necessity of balancing between the right proportion of data protection and user comfort.
In our opinion the two biggest challenges that security teams in financial institutions face are:
1. How to increase the level of security without making a user's life too hard?
Even though data security should always be a priority of each organization unit - in reality - people always look for ways to make their lives easier, so if they can skip a security procedure that makes them lose too much precious time - they surely will.
2. How to increase the level of security without breaking the bank?
The sad truth is - the cybersecurity always comes last. Maybe in banks and financial institutions data security budgets are higher than in 'less attractive to hackers' sectors of the market, but still. The infosecurity budget usually rises after something happens. A bad breach, phishing theft, data lost. That’s usually the moment when CEOs decide to invest some money in data protection space.
So what’s the remedy?
We call it “microauthorizations”.
Secfense designed microauthorizations to make the user journey almost untouched while on the same time substantially increasing the data security level.
Microauthorizations are meant to easily add additional authorization steps in the application wherever it's necessary, without touching the application code.
With microauthorizations it is possible to:
It really can be that simple.
To learn more about microauthorizations you can check this short showcase that we did during the technology event in Berlin.
You can also watch a complete 2FA method deployment performed on Amazon.com and executed in just minutes.
While two-factor authenticaion is a better way to protect a user against phishing and credential theft it is still far from perfect. People that work in cybersecurity heard about SMS and OTP security breaches. "Protecting authentication process with OTP-based 2FA is better than nothing, but still not safe". That's something that you probably hear a lot.
In contrast to previously compromised 2FA methods, U2F (universal second factor) employs a physical device that a user needs to physically have when intending to access company data. This setup is regarded as one of the strongest authentication methods and has not yet been compromised.
To put it in perspective, none of Google’s 89,000 of employees have fallen for a phishing attempt since the company implemented U2F in 2017.
One of the biggest reasons why U2F hasn't become a golden security standard yet was a cost factor. Introducing this technology meant a long and wearisome coding process for developers and additional costs for a budget decision makers. Often the further maintenance need and a perspective of a vendor lock-in was a good enough reason to give up on the idea of introducing U2F to an organization.
Today, it's possible to deploy U2F in a matter of minutes at the fraction of previous cost. And, big financial institutions don’t have to share any of their information with third-party vendors any more. Instead, U2F authenticaion method can now be layered seamlessly on top of the current infrastructure.
With no developers, no contractors, no third-party code involved and therefore no vendor-lock. The protection lays on an additional security layer that enables 2FA authentication on any app without touching the code.