Banks and Financials Are at an MFA Crossroads, and $5.2 Trillion Is at Stake

Losses from poor authentication in the financial sector are slated to reach astronomical amounts over the next five years. Stemming the tide will require quick action and next-generation solutions.

Accenture says that over $5.2 trillion in value will be lost in the financial services sector over the next five years due to cybercrime.  Meanwhile, banks, capital market firms, and insurers are spending an average of $18.5 million annually to try to combat the problem.

Let's be honest, these are staggering numbers—and numbers that ought to give both consumers and regulators pause.

Meanwhile, Verizon says that the largest breach mechanism by far in the finance sector is hacking—and that nearly four of five hacking attempts involve the use of stolen or brute-forced credentials. 

In short, the widespread deployment of effective multi-factor authentication (MFA) in banking and finance is badly needed right now, and this need will only increase in the months and years to come.

Cybercrime and data breaches are on track to cost banks and financials $5.2 trillion in losses over the next five years. A huge chunk of that will result from poor authentication practices. © Nichapa Srimai / Dreamstime

Despite all of this, a kind of complacency is beginning to set in, with some viewing multi-factor authentication as a "solved problem." After all, SMS-based multi-factor authentication is everywhere these days, and YubiKey is widely supported and widely understood. By this reasoning, solving the MFA problem is just a matter of deployment and maintenance.

So what gives? Why aren't these solutions expected to better stem the tide of catastrophic breaches to come in banking and finance?

The Effectiveness Problem

The first problem with the MFA solutions already on the market is that they often don't provide all that much extra security.

We've already discussed the problems with SMS-based multi-factor authentication both in technical terms  and in terms of demonstrated vulnerabilities in the real world.  The long and short of the problem is that SMS doesn't provide much more in the way of security than passwords do—and in many cases, SMS may effectively provide less.

That's a bad thing, considering that SMS is rapidly becoming the go-to MFA mechanism for B2C web applications and workflows of all kinds. As a global cybercommunity, we've taken the wrong path, and we need to correct course quickly.

Hardware MFA tokens are tiny—easy to lose and easy to swipe. SMS authentication is worse still when it comes to vulnerability. Both create delays and headaches that can harm the bottom line. In short, they don’t solve the problem. © Tommaso79 / Dreamstime

Hardware authenticators  offer better security than SMS-based MFA does, at least in theory—but the problem with hardware authenticators is that theory doesn't always match what happens in reality.

In reality, hardware authenticators are tiny items not much bigger than a house key that users are expected to track and carry as they go about their work.

Ever lost your keys? How many people do you imagine answer "yes" to a question like that one? Many of same people would have to admit to losing track of their hardware authenticators in a world in which security is governed by them. More to the point, in a world of hardware authenticators, these tiny items are easy targets for theft of the snatch-and-pocket variety.

Once a hardware authenticator is in hand, anyone can use it to gain access—an authenticator can't differentiate between its owner and anyone else. It's a key—and it provides ready access.

In the banking and financial services case, that access can then be used to steal terabytes of sensitive user data and countless dollars.

The (Deeper) Workflow Problem

There's a dirty secret about security in the financial world, and it's this: organizations that handle large amounts of capital or currency don't just need to protect their consumer-facing logins and web applications. They also need to protect internal systems against insider attacks, since these are often much easier to carry out—and can affect far larger amounts of data and wealth, across a far larger cross-section of held accounts.

The practical obstacle to solving this problem is that employees at these organizations are also busy—everything from retail tellers needing to keep the line moving at the counter to fund traders needing to execute trades promptly in order to remain competitive, along with everything in between these two extremes.

Furthermore, banking and finance employees often need to log into or work inside multiple systems at once in order to carry out these duties. Multi-step MFA workflows, though called for by regulators and insurers, are often in direct tension with the actual day-to-day flow of business.

In the finance world, delays mean dollars—often an awful lot of them. This fact is in constant tension with traditional MFA technologies. © Jaahnlieb / Dreamstime

If retail counter staff are forced to complete a series of multi-step MFA workflows just to conduct client counter business, that business will soon go elsewhere due to long wait times at retail counters. If traders are forced to complete a series of multi-step MFA workflows each time they need to execute a trade, they're going to lose millions or billions in opportunities due to delayed trade timing.

As a result of these kinds of problems, internal MFA is often hamstrung at banks and financial institutions of all kinds, even if B2C MFA on customer-facing applications is in place. Workarounds have to be found to enable business to get done in a timely manner, or fig leaves have to be applied in order to satisfy regulators without negatively impacting profitability.

But of course the reason that regulations exist in the first place is because the risk of loss and the costs are so real—and so great.

Solving the Problem

The answer for organizations that want to achieve real compliance and real cyber-safety—yet that also plan to remain competitive and to stay in business—is increasingly to turn to MFA methods that don't impose delays or added workflows steps on either on clients or on internal employees.

In particular, behavioral-biometric and data-driven forms of multi-factor authentication that rely on machine learning to recognize actual employees and customers—without the need for SMS codes or hardware tokens—are proving to be the right solution to enable business to get done without interruptions, and with better security than either SMS-based MFA or hardware tokens can provide.

“For example” #1:

We recently provided a solution to a large regional bank that was struggling with the delays, the overhead, and the employee frustration caused by hardware authenticators like YubiKey, all while facing a regulator that insisted that they find a workable MFA solution quickly.

When newer MFA solutions are in place, bank employees are able to perform on the task at hand—serving depositors—with uninterrupted focus and without delays. © Waihs / Dreamstime

We helped them to deploy behavioral MFA that eliminated the need for constant hardware authenticator use, solving all of these problems in one step and enabling business to be conducted smoothly and without interruptions—all while providing increased security and stronger MFA that doesn't suffer from the weaknesses of SMS authentication or hardware tokens.

“For example” #2:

We've also recently worked with an algorithmic hedge fund to provide a behavioral authentication solution that enables them to safeguard their algorithmic infrastructure. This is key to their ability to carry out trading activity effectively—and drastically reduces their reliance on the multi-step workflows that had previously been required to confirm the identities of on-the-ground employees.

As a result, they're able to guarantee identity and execute on their trading activity in a timely, optimal manner, putting them ahead of the game when competing against other firms in their industry, many of which are still saddled with traditional MFA complexities and delays.

These are the kinds of solutions that banks and financials need to deploy in the months and years ahead if that $5.2 trillion loss figure is to be brought down to something more manageable and less eye-popping.

Yes, we have seen cases in which purchased hardware tokens lined shelves and hadn’t been fully deployed yet—but with organizations wisely moving on to next-generation authentication nonetheless. © Aleksandr Stepanov / Dreamstime

Getting Ahead of the Curve

Of course the difficulty in all of this is that many firms are already embroiled in multi-year strategies to deploy the last round of MFA technologies—like SMS and hardware authenticators—that have now proven to be inadequate.

This can lead to an unhealthy embrace of the sunk costs fallacy. Firms that have already invested time and millions into legacy strategies may be tempted to see them through before beginning to plan the next round of updates—to newer technologies and solutions.

In our opinion, that's the wrong decision. That $5.2 trillion figure comes with the current state of the market already baked in, and under the "let's finish getting SMS MFA out" plan, by the time next-generation solutions are under consideration, it'll already be on the books—and in the hands of crooks.

Instead what needs to happen is a rapid and (dare we say) agile shift—toward getting next-generation solutions onto retail banking, investing, and trading floors now. Yes, there are sunk costs that will have to be written off, and more workflow changes for employees and consumers to learn to navigate.

But these workflow changes will, for once, be toward greater simplicity and transparency at the same time as greater security—and the write-offs will pale in comparison to the $5.2 trillion in coming losses that banks and financials desperately need to find a way to avoid. ■