Passwords are ubiquitous. In any digital ecosystem, passwords are the predominant authentication credentials to login to systems. As a result, password credentials are one of the most vulnerable forms of IT assets. Passwords are often the soft target for compromised corporate insiders and organized cyber criminals.
Against this backdrop, passwordless authentication is gaining prominence among IT professionals. However, this approach cannot be used everywhere. For example, a passwordless approach for customer identity and access control is frictionless and improves the end-user experience. Nevertheless, for critical infrastructure, passwords are crucial in the entire multi-factor authentication (MFA) process.
Financial service providers are one of the most targeted industries by cyber criminals. Financial service providers have faced numerous cyber incidents in the last couple of years, mainly related to password misuse or abuse. While switching entirely to passwordless authentication methods is debatable, financial service providers can significantly reduce the password breach attack vector, thereby securing the critical infrastructure by reinforcing password management.
But are Financial Service Providers Doing Enough?
Recently, a reputed financial services provider from the APAC region faced hacking of more than 100,000 credit card payment terminals due to an employee’s password leak. The organization facilitates banks, acquirers, fintechs, telecom operators, and industry solution providers with financial services in the most cost-effective and convenient ways.
After the incident, the organization did a detailed investigation and found the following loopholes:
- The organized cyber criminal group breached hundreds of passwords to gain access to their cloud dashboard
- The passwords were stolen by malware in disguise of a genuine user
- An ‘admin’ account on the cloud dashboard was surprisingly found on a dark web marketplace, which made the cyber criminals’ jobs easy
- The cloud dashboard lacked basic security features such as user authentication (multi-factor authentication) to ensure that access came from a legitimate user
The Lesson Learnt:
An organization with more than a hundred offices across the globe definitely possesses a huge amount of data. Typically, large financial services providers have a huge network user base comprising of IT administrators, privileged users, and ad hoc privileged users.
In addition, if an organization has a hybrid work environment, then additional security measures are mandatory to protect enterprise data from users’ anomalies and stay compliant with global regulatory standards.
The scale of risk is higher when it comes to financial organizations and financial service providers. After all, the payment gateways/payment terminals and payment service networks are responsible for consolidating, integrating, and processing payments through multiple channels. As a result, even a minute compromise with the access security infrastructure could be catastrophic.
For such large IT environments, financial services providers must implement the following basic password management best practices:
- Always avoid using default admin passwords
- Passwords must never be maintained and shared in excel sheets
- Implement a mechanism to randomize and rotate passwords at frequent intervals
- All passwords should be vaulted and encrypted
However, one more lesson learned from this incident is that organizations must safeguard their cloud infrastructure as the workloads are being kept in hosted environments. Security vulnerabilities in cloud computing arise when there is a lack of visibility and control over cloud resources’ users. As a result, database passwords, cloud access keys, SSH keys, and other forms of credentials become exposed to misuse.
Passwords are the gateways to critical IT assets. Strengthening passwords is like making your access gates strong enough to prevent any intrusion. Without adequate password protection measures, an enterprise might lose its integrity and credibility beyond recovery.