The image of a hacker furiously typing strings of code to brute-force their way into a corporate server is becoming outdated.
Today, the most dangerous cyber intrusions can come not from forced entries, but from front doors to organizational perimeters being quietly opened with valid credentials. Financial institutions, long the crown jewels of cyber targets, are falling prey not to systems being broken, but to trust being exploited.
It’s an emerging era of credential-based compromise, a new paradigm in cybersecurity where hackers don’t break in, they log in. Cybercrime has evolved from smash-and-grab operations to long cons that rely on psychological manipulation and credential misuse.
The problem is compounded by the operational and administrative complexity of financial services. Financial institutions can operate sprawling networks with millions of users and endpoints. To the fraudster’s hammer, all these endpoints and users can look like a nail.
The PYMNTS Intelligence report “Consumers Struggle with Passwords and Fraud Prevention — Metal Payment Cards Offer a Smarter Alternative,” a collaboration with Arculus by CompoSecure, found that 41% of fraud cases are driven by stolen or falsified credentials.
Defending against this new wave of threats can require more than better tools. It may depend on better habits, smarter systems and a commitment to security as a shared responsibility.
Read also: Aligning Payments and Data Operations With Compliance and Cyber Risks
The traditional reactive approach to cyber incidents may no longer be sufficient for today’s sophisticated, always-on threat environment. Banks are no longer asking if they will be breached, but when and how prepared they will be.
A data breach and its downstream compromises can come from anywhere.
Vulnerabilities can even come from trusted third parties, as the news earlier this month from the Office of the Comptroller of the Currency showed. Hackers were able to intercept over 150,000 emails sent to the agency. Cybersecurity experts are reviewing the security of the OCC’s BankNet and Large File Transfer systems, which are what many banks use to share supervisory information with the regulator.
Following the OCC breach, J.P. Morgan Chase and Bank of New York Mellon scaled back their electronic information sharing with the OCC due to concerns about potential security risks to their own computer networks.
Ultimately, the days of siloed cybersecurity departments are over. Hackers can log in with stolen credentials, so every employee, vendor and system is a potential vector.
In interviews for the “What’s Next in Payments” series, executives stressed to PYMNTS that a multilayered security strategy, also known as defense in depth, is crucial for reducing risks at various levels. This approach means implementing multiple defensive measures across the enterprise network.
Additionally, key security frameworks like FedRAMP and ISO 27001 can provide a blueprint for organizations to protect their data and ensure they can respond effectively to security incidents.
See also: US Agencies Warn of ‘Fast Flux’ Attacks Derailing Enterprise Networks
Within financial services and payments specifically, contextual awareness and data correlation can be crucial tools in the fight against fraud and cyber abuse.
Featurespace founder David Excell and Gasan Awad, senior vice president of enterprise fraud product management at PNC, told PYMNTS in March that successful defenses depend on pattern recognition, expanding the channels through which banks communicate with one another to keep abreast of emerging attack vectors.
Last spring, Intellicheck CEO Bryan Lewis advocated for the development of consortiums and data sharing to bolster identity verification. By pooling resources and sharing verified data, consortiums can establish a robust framework for identity validation, improving trust and confidence in financial transactions.
At the same time, B2B cyber audits can help organizations assess their security posture, identify vulnerabilities and build trust with partners and clients. For C-suite leaders, these audits are not just about compliance but about safeguarding their enterprise’s long-term stability, resilience and trust.
Some of the most forward-thinking firms have their eye toward the horizon and are already beginning the migration to encryption schemes resistant to quantum decryption, following guidelines from the National Institute of Standards and Technology (NIST).
