Adapting to new cybersecurity regulations and addressing evolving threats within financial services

In late 2023, the U.S. subsidiary of the Industrial and Commercial Bank of China was hit with ransomware, creating a ripple effect across the U.S. Treasury market. In February 2024, Bank of America reported a breach impacting 57,000 account holders related to a compromise with a third-party software provider. And as recently as June, a ransomware attack on the US Federal Reserve targeted Evolve Bank where attackers leaked 33 Tb worth of sensitive data from thousands of customers. All of these attacks have one thing in common: they’re tied to LockBit, one of the most prolific organized cybercrime groups, known for its ransomware toolkits and a history of exploiting credentials. Despite a coordinated takedown that was years in the making, LockBit continues to be a significant threat.

For the financial sector, which surpassed healthcare as the most breached industry and most attacked industry in 2023, these cyber risks and trends are a top concern. While it may seem that threat actors are quick to find new points of attack to take organizations down, the reality is old tactics like phishing are extremely successful: 80% of all cyber attacks are a result of stolen login credentials.. These attacks are harder to spot, often backed by advanced AI systems that scrape the internet to make these campaigns more effective. And they work. 

Today, most attacks (74%) can be tied to the human element, including the use of stolen credentials, privilege misuse and phishing. According to reports individuals working in finance are the second most likely to open a phishing email. Unfortunately, generative AI (genAI) will only accelerate these trends. While there are known benefits of generative AI, bad actors can use AI to their benefit by writing customized phishing emails on a massive scale or placing scam phone calls to thousands of people at once. By automating the most time, skill, and labor-intensive parts of running phishing campaigns, generative AI is making it possible to dramatically increase the number of attacks and lowers the bar for less capable attackers to get involved with phishing. As FTC Chair Lina M. Khan recently noted, the agency is already seeing AI used to “turbocharge” fraud and scams, impersonating individuals with “eerie precision and at a much wider scale.”

While phishing attacks may become harder to spot, the anatomy of a phishing attack is always the same: an attacker sends an email or text message to a user who has access to corporate systems, tricking the user into entering their password or second-factor one-time passcode (OTP) into the phishing website, providing the attacker with valid credentials they can use to access the system directly, to further compromise other users, or to deploy malware or ransomware.

These attacks expose individual banks, credit unions, investment firms and credit card organizations to potential loss of consumer trust, financial risk and threat of regulatory action, but they also can also lead to more systemic operational disruptions.  

Tighter security regulations draw focus to adopting modern, phishing-resistant authentication solutions

Effective cybersecurity is about solving the right problems at the right time. There are hundreds of recommended actions across the top regulatory security bodies – a lot of it conflicting or dated – so it is easy for security advice to feel burdensome or get out of sync with the current threat landscape. However, we’re seeing new and revised regulations take note of today’s threats and the risks related to human interactions between employees, third-parties, customers and the systems with which they interact.

The latest revision to PCI DSS 4.0 speaks to the need to ensure digital identities are tied to individuals, to prove that identity at regular intervals, and to implement strong multi-factor authentication (MFA) in line with best practices. Both the FTC and PCI DSS 4.0 speak to the need for MFA in line with NIST Special Publication 800-63’s definition of phishing-resistant MFA – which includes FIDO2/WebAuthn-based authentication or a  Smart Card.  

Across financial services, account lockouts due to phishing and credential theft demonstrate the need (and requirement) for strong, phishing-resistant MFA. However, PCI DSS goes one step further and acknowledges (in Section 12) the requirement to ease the reliance on human knowledge, asking for consideration of how users interact with systems and how to make authentication as easy as possible. This question is particularly important when we consider authenticating to shared workstations in call center and retail banking environments or re-authenticating for access to sensitive data or to complete high-risk transactions. 

When thinking about an authentication solution, it is important to consider a solution that is user-centric, strongly tied to identity, and phishing-resistant. All of these considerations point toward establishing an authentication strategy that opens the door to a passwordless future. 

Strong, modern authentication is a cornerstone to the passwordless future 

Eliminating the use of traditional passwords and legacy MFA tools like one-time passcodes (OTPs) should be the end goal of any authentication program for organizations. Every company is at a different marker on the journey to passwordless, often held back by legacy systems, hardware or third-parties who don’t yet support modern authentication. But every move away from passwords and legacy MFA is a move in the right direction. 

With recent advancements in passwordless—and new on-device authentication solutions—the way an organization can establish and manage a user’s identity credential throughout its lifecycle has evolved to address these increasing challenges. In order to truly prevent phishing attacks, organizations must do more than just invest in phishing-resistant authentication—they must instead focus on developing phishing-resistant users. Moving beyond the technology of phishing-resistant MFA to focusing on the end user is key to creating phishing-resistant users who are protected with authentication that travels seamlessly with them, across devices, platforms and scenarios.

Phishing-resistant MFA leveraging the FIDO2/WebAuthn standard, such as physical security keys like the YubiKey, is the first step in meeting today’s complex regulatory requirements and shutting down phishing attacks. Once there, organizations are poised to leverage FIDO2 passwordless-enabled credentials, now known as passkeys, to support passwordless— eliminating all passwords during login and across the authentication lifecycle. Device-bound passkeys like the YubiKey enable organizations to foster phishing-resistant users by securing all aspects of the online user account lifecycle including onboarding, authentication and account recovery. 

For more about the latest requirements for PCI DSS 4.0, we welcome you to check out our recent webinar. Learn how to accelerate financial services from legacy MFA to modern passkey authentication in our other webinar here, as well as our whitepaper here for more insights into staying ahead of modern cyber threats.

Talk to our teamTalk to our team

Share this article:


  • Introducing new features for Yubico Authenticator for iOSWe’re excited to share the new features now available for Yubico Authenticator for iOS in the latest app update on the App Store. Many of these improvements aim to address frequently requested features from our customers, while providing additional new functionalities for a seamless authentication experience on iOS.  With increased interest in going passwordless and […]Read moreiOSYubico Authenticator
  • Platform independent digital identity for all Many are understandably concerned that the great invention called the Internet, initially created by researchers for sharing information, has become a major threat to democracy, security and trust. The majority of these challenges are caused by stolen, misused or fake identities. To mitigate these risks, some claim that we have to choose between security, usability […]Read moreDigital IdentityEUDIFounderStina Ehrensvard
  • Q&A with Yubico’s CEO: Our move to the main Nasdaq market in StockholmAs 2024 draws to a close, it’s the perfect time to reflect on the incredible journey we’ve had this year and how it has shaped where we stand today as a company. To mark this moment, I sat down with our CEO, Mattias Danielsson, to look back on the milestones and achievements of 2024—culminating in […]Read moreCEOMattias Danielsson
  • Exploring DORA: A look at the next major EU mandateFinancial institutions have historically managed operational risk using capital allocation, but under EU Regulation 2022/2554 – also known as the Digital Operational Resilience Act (DORA) – the financial sector and associated entities in the European Economic Area (EEA) must also soon follow new rules. These new rules focus on the protection, detection, containment, and the […]Read moreDORAEU