What’s Missing from New FINRA Guidance

In a recent release, the Financial Industry Regulatory Authority (FINRA) provided insight into the increasing frequency of occurrences of Account Takeover (ATO) within the financial industry. The report also produced guidance for organizations looking to tighten their cybersecurity, but no direction was provided regarding the growing issue of password hygiene.

ATO: What’s really happening?

When hackers gain unauthorized access to accounts by obtaining users’ credentials it’s referred to as Account Takeover (ATO). Hackers are then able to target networks, company systems, and financial accounts. ATO is on the rise and now accounts for a third of all targeted account attacks.

According to the FINRA summary, ATOs are frequently attempted through “common attack methods such as phishing emails and social engineering attempts” as well as “a large number of stolen customer login credentials available for sale on the dark web.” To go from any one of these attack vectors to financial impact can be an easy task for threat actors. All they need is a single set of credentials to gain an initial foothold, and then they can deploy malware, gain access privileges… and wreak havoc.

In response to growing concerns about ATO, FINRA recently released guidance to help firms combat it because the protection of customer data and identity is central to FINRA’s function. Some of the information released was educational, and it’s encouraging to see movement in the direction of recognizing ATO as a massive threat. However, as Josh Horwitz of Enzoic points out in Credit Union Times, the guidance contained an omission that couldn’t be overlooked.

The reality is that organizations need to know whether the credentials they accept are already compromised at the time of use. No matter how many authentication methods are layered on, after a fraudulent user has obtained an account, the damage has likely been done. The hacker already has access to the personal information contained within the account.

The Problem with Passwords?

The primary reason ATO attacks are so successful is due in great part to password reuse. At least 65% of people reuse passwords across multiple, if not all, of their accounts. With the number of wide-scale data breaches happening hour by hour, it’s essentially a matter of time until most credentials are posted online. This is why it is extremely important to check passwords against a constantly updated list of compromised credentials.

Within any industry, it’s important to be realistic about user behavior because it’s quite unlikely that people will change their approach to password management. NIST now recommends organizations drop the overly complex password requirements. Data has shown that when forced to create a password with arbitrary character requirements, users are likely to create weaker passwords. They are more likely to reuse their passwords once they have a preferred one that seems to satisfy all the requirements. For example, someone might think that variations on the ‘password’, like “P@ssword1” are safe and unguessable. Unfortunately, computers are way ahead of us in those capacities and such easy credentials are certainly available for purchase on the dark web. 

Instead, NIST recommends that organizations screen passwords against blacklists containing commonly used and compromised credentials on an ongoing basis.

Screening out already-exposed passwords is one of the most efficient methods of preventing ATO because it addresses the problem as early as possible. Additionally, there are credential screening software solutions that also assist in minimizing user friction. Password screening happens in the background, so there is no interruption to the user experience unless the credential is or has become compromised. At that point, organizations can tailor and automate the appropriate action, whether it’s forcing the user to change their password immediately or using a pre-established secondary authentication method to confirm their identity.

Not Misguided, but Something’s Missing…

The FINRA report did summarize suggestions for validation of a customer’s identity: adaptive authentication, multifactor authentication (MFA), and supplemental authentication methods like SMS and phone calls.

Most of the techniques are potentially useful, but none are a magic bullet. Take for example MFA, which relies on an additional factor to grant access to the account. While theoretically very useful, studies have documented that people do not proactively enable MFA even when given the option, most likely because of the friction it causes in the customer experience. Similarly, other suggestions like SMS text message codes and geolocation have both been shown to be easily compromised—and neither method is recommended by NIST.

FINRA’s guidance is not incorrect, but it’s missed the opportunity to give compromised credentials the priority they deserve. When deployed the right way, the FINRA recommendations could certainly help protect businesses from ATO attacks—but only if the base layer of password security is firmed up.