Oct. 21, 2022
In the first half of 2022, there were 817 data breaches in the U.S., and combined with data leaks and data exposure, they impacted more than 53 million individuals. These are alarming numbers, but they could have been much worse without the use of some form of multifactor authentication (MFA), which is used by many businesses to protect consumer data and transactions.
MFA has long been regarded as an effective means for safeguarding data. It works by allowing an individual to log in to an account via a user ID and password and then, before granting access, sending a separate code via email, text, or push notification to create an additional layer of required knowledge. That two-step approach helps to ensure that the user has several key pieces of information—username, passcode, cell phone or email interface, and a system-generated code— prior to being admitted behind a security system.
But increasingly, common forms of MFA that employ SMS-based texts, one-time passwords, or mobile push notifications are being compromised. In Uber’s widely publicized exposure, a hacker used social engineering to gain access to internal systems. After gaining initial access, the hacker then reportedly impersonated an IT employee to convince a contractor to grant further access following a series of spam authentication requests. The case, still under investigation, has resulted in cyber experts issuing warnings about “authentication fatigue” and the need to strengthen MFA protocols to accommodate it.
Despite these challenges, experts agree that using strong MFA solutions with authenticator apps and tokens are proven deterrents and are most effective, according to the National Institute of Standards and Technology (NIST), when they encompass the following elements:
To that point, the Cybersecurity and Infrastructure Security Agency (CISA) recently released materials promoting Fast Identity Online, or FIDO, as the gold standard of MFA. Built with a cryptographic foundation, FIDO may incorporate biometric authentication and/or a physical key to support stronger MFA protocols. There is also a FIDO 2 standard under development to further enhance security and offer a modern version for authentication without passwords.
With these new developments in mind, community banks can take additional steps to protect their data going forward.
Ensure data and cyber security staff have a say in what MFA standards are implemented. This will help your bank determine which MFA protocols are most secure and work best for your institution. CISA and ICBA’s Cyber and Data Security Resource Center offer good places to start.
Talk to your core, data security, and/or fraud prevention providers. They can help you identify suitable solutions and how best to enhance your existing MFA offerings. If a service or software provider does not offer MFA-enabled products that meet your security standards, raise that to their attention.
Contact ICBA. With such a complicated, evolving topic, ICBA can help you stay up to date on relevant information and direct you to additional resources to meet your specific needs.
Hackers will always seek out the path of least resistance, but by staying vigilant and integrating strong MFA protocols, community banks can fortify their defenses and help keep their sensitive data safe.