ATO fraud is on the rise
The financial services sector remains a prime target for account takeover (ATO) fraud, with malicious actors persistently taking advantage of the existing security landscape. According to Sift’s Q3 2023 Digital Trust & Safety Index, the cost of account takeover attacks is over $635 billion, with the FinTech market in particular seeing an increase in 808% in attacks year over year.
In many cases, phishing attacks are employed to trick customers into clicking on an email-based link to a decoy site where they unwittingly provide their username and password credentials. Additionally, with the availability of advanced tools and bots that perform a multitude of credential-based attacks, along with databases for purchase on the dark web with millions of username and password combinations, fraudsters attempting to access user accounts at scale is also a relatively fast, easy and low-cost effort. These are just two of the most popular ATO techniques employed, but unfortunately there are many, many more including social engineering, malware and data exfiltration.
Although most countries have regulatory mandates that require additional layers of security for multi-factor authentication (MFA) to mitigate this risk, the reality is that it’s not always implemented properly, and even if when it is, it is no longer effective at combating fraud.
For example, one of the most common MFA methods used are one-time passcodes (OTPs) delivered over SMS or voice. However, there are now numerous methods such as eavesdropping, smishing and vishing that enable the bad actors to harvest these codes to gain access to the victim’s account.
The foundational reason for all the above-mentioned vulnerabilities is the fact that passwords continue to serve as the primary factor of user authentication as they have for the past 60 years.
How passkeys can stop phishing attacks
Fortunately, there’s a new and fast-growing alternative to passwords that promises to change the way consumers create and access their accounts: passkeys. Passkeys are a more secure replacement for passwords that also make it faster and easier to sign in. Passkeys are accessed the same way we unlock our phones by using biometrics such as Touch ID and Face ID.
From a security perspective, passkeys are phishing-resistant and cannot be easily leveraged in ATO fraud. There are several key features of passkeys that make this possible:
- Passkeys are bound to a website domain — Unlike passwords, which people tend to reuse across all their digital accounts, passkeys on the other hand are digital keys that are machine generated and uniquely tied to each website domain. This means that email-based phishing attacks that lure users to domains with replica websites are thwarted as the passkey will simply not work.
- Passkeys are based on public-private key pairs — Unlike passwords which reside in a single, central repository as a shared secret on the bank’s backend, passkeys rely on public key cryptography. This means that when a user creates a passkey for a given website, a public-private key pair is generated. The website stores only the public key and, if compromised, is meaningless. Only when the public and private keys are used together can a valid authentication request be made.
- Passkeys are limited to a user’s trusted devices only — A passkey is protected by the device’s secure enclave and is only accessible by the user via their biometrics or PIN. Leveraging the platform vendor’s cloud, the passkey can be automatically synced to other registered devices belonging to the user. So, a passkey created on an iPhone can be synced to the user’s iCloud Keychain and accessible on any of their other registered Apple devices. This feature significantly improves the usability of passkeys allowing them to be used across all the user’s trusted devices from just one registration event.
Passkey adoption
There are over 4 billion devices today that support passkeys, including smartphones, tablets and desktop computers across the operating systems from Apple, Google and Microsoft. The markets seeing the majority of the initial adoption have been in eCommerce, Travel & Hospitality and Finance, and include brand names such as Amazon, Best Buy, eBay, Google, Kayak, PayPal and Robinhood.
Passkeys are a great start, but there’s more work to be done
Although passkeys offer a significant security improvement over current password-based approaches, there’s still more work that needs to be done. Many financial services have requirements to meet high levels of assurance that a given user is indeed who they say they are.
Although passkeys are, by design, a multi-factor credential (something you have, something you are), the fact that it can be synced across devices does introduce an element of risk. In other words, how can we be sure that the authenticating device presenting the passkey belongs to that user, especially if the device has not been seen before?
The FIDO Alliance (the standards body for passkeys) has new requirements under proposal to extend the specifications that would enable Supplemental Security Keys to be used as a means of providing additional attestation to an authentication request. This metadata would provide information on the device itself to be used as another signal for the organization’s risk engine.
In the meantime, though, organizations can still use passkeys as an integrated part of their multi-tiered strategy in conjunction with behavioral analytics, device fingerprinting and a host of other risk signals.
Conclusion
Passkeys are gaining momentum as a replacement for legacy passwords and MFA approaches. Their advanced security and usability give financial services a huge upper hand in combating ATO fraud and phishing attacks while also offering a wealth of additional business benefits such as increased account creation rates, reduced SMS OTP costs and faster and more successful sign-ins.
To learn more about why the financial sector is better off with passkeys, read our whitepaper here.
To learn more about how Trusona can help you quickly passkey-enable your website, visit here.
