Right at the beginning of 2023, Paypal came forward to announce that they have fallen prey to a serious security breach, exposing the private user information of over 35,000 Paypal users. Hackers used credential-stuffing techniques to break into user accounts and steal crucial user information such as user’s names, addresses, bank details and social security numbers. Such massive attacks can not only cause a huge financial loss for fintech companies but also can pose to be a huge blow to their image and reputation. If massive financial institutions like Paypal have to face such breaches, it's only a matter of time before other fintech companies are also exposed to a similar fate. Such attacks create a drastic impact on the lives of affected individuals as it opens up a possibility for identity theft, subjecting the safety of the individuals and their families to a great risk!
Fintech companies are being increasingly targeted by cybercriminals recently due to the infinite amounts of sensitive financial data that they possess. Additionally, compared to other industries, fintech companies have a significantly larger volume of transactions, which increases their vulnerability to brute-force attacks and phishing attempts. One of the main ways that cybercriminals can gain access to this data is by exploiting weak authentication methods.
Passwords have been around for a long time and it's time to ditch them as they have become highly vulnerable due to more sophisticated hacking tools and increased computing processing power. At present, some companies have strict rules regarding the creation of passwords that includes the length of the password and the required use of a mix of alphanumeric and special characters. However, even then users often tend to use memorable phrases and digits or use the same password for multiple accounts.
According to FirstContact, 57% of users who have already been scammed by phishing still haven’t changed their passwords. Additionally, the phrases “Password” “Qwerty” and “123456” are used by over 23 million users worldwide. Most users choose to not add 2FA protocol into their accounts as 2FA can be a cumbersome process, subjecting users to a delay in login.
When it comes to the financial technology sector, there are two major gateways that can be accessed by hackers to perpetrate a data hack :
1) when the user is logging in to the FinTech app
2) when the user is on the verge of completing a transaction
With the advancement of technology, hackers have access to a plethora of highly sophisticated tools that allow them to easily retrieve user credentials within seconds. In a recent interview, Arkose Labs revealed the names of some of the most commonly used phishing websites, including prominent names like EvilProxy, Oktapus, OpenBullet etc. These tools are leveraged to conduct various forms of cybercrimes and amount to thousands of dollars in losses for companies.
The financial sector has always been a prime target for cybercrimes and scams. The emergence and rapid rise of fintech companies have only amplified the threats of a potential breach. Since fintech companies are mostly digital-first, allowing users to leverage financial benefits through the internet, there is a lot of vital data that needs to be protected, thus requiring a robust and impenetrable authentication parameter. According to ImmuniWeb, almost 98% of the top 100 global FinTech startups are prone to data vulnerability and cybersecurity breaches such as phishing, brute force attacks, third-app security attacks etc.
Some of the top risks faced by fintech companies include the following:
Fintech companies need a robust and diversified mechanism in order to collect and securely store sensitive user information, keeping them safely out of the bounds of the grey market.
FIDO (Fast IDentity Online) Alliance is an open-source organization formed with the aim to reduce the world’s resilience on passwords. FIDO Alliance, backed by some of the world’s biggest tech companies like Google, Apple and Microsoft have designed a unique authentication solution called Passkeys. Passkeys utilize a hardware device, such as a USB key, an NFC-enabled device, or a mobile phone with biometric identification capabilities to verify the user's identity.
FIDO Passkeys are an evolutionary version of Multi-factor Authentication, based primarily on WebAuthn standards and having Public Key Cryptography as its core working principle. Passkeys help companies completely eliminate passwords and use alternative authentication parameters like biometric identity, security tokens etc to complete a login successfully. Passkeys generate two sets of digital credentials (keys) to aid highly secure and frictionless user login - a Public Key (such as username) available within the server database and a Private Key (such as fingerprint, face ID) stored securely within the user’s device. A successful login would require the user to provide both the information to the website. If the private key and public key complement each other, access to the website/ mobile app is granted to the specific user.
FIDO Alliance is a 250+ strong member body. The members include government bodies actively utilizing authentication standards. FIDO standards are built in almost all browsers, operating systems, and consumer devices used in online transactions. Passkeys enable users to avail a highly secure and effortless login/transaction experience, thus proving to be the panacea for authentication security.
Passkeys are designed in such a way that it addresses all the existing authentication requirements that fintech companies need to abide by while ensuring a magnificent user experience. When a user attempts to log in to a fintech service, the user's device is used to prove their identity by signing a challenge sent by the service.
This approach provides several benefits for fintech companies, including:
While Passkeys are still a comparatively newer approach and an evolutionary upgrade of the existing 2FA mechanisms, the emergence of passkey-based authentication can be really promising for the fintech industry. FIDO’s authentication standards have been backed by some of the biggest corporate names such as Google, Apple, Microsoft, eBay etc. When it comes to the financial realm, institutions like PayPal and Bank of America have been some of the front liners in adopting and rolling out passkey-based sign-in standards for their website/mobile application in the latter half of 2023. It’s time for small and mid-sized fintech companies to step up and join the passwordless bandwagon for a risk-free and more secure user experience.
Interested to know how you can integrate passkeys on your website/mobile application within a single day and save tons of time, money and resources? Sign up with us at SoundAuth and join our waitlist to avail an early beta launch!