First Horizon Bank Accts Breached by “Unauthorized Party”, Millions Removed

BACKGROUND:

In an SEC filing on WednesdayFirst Horizon Bank of Tennessee revealed that login credentials were used by “an unauthorized party,” exploiting third-party security software to remove millions from approximately 200 accounts.  Excerpt:

In mid-April, First Horizon Corporation (the “Company”) became aware of a data security incident affecting a limited number of customer accounts. Based on its ongoing investigation, the Company determined that an unauthorized party had obtained login credentials from an unknown source and attempted access to customer accounts. Using the credentials and exploiting a vulnerability in third-party security software, the unauthorized party gained unauthorized access to under 200 online customer bank accounts, had access to personal information in those accounts, and fraudulently obtained an aggregate of less than $1 million from some of those accounts.

Experts Comments

May 04, 2021
Rajiv Pimplaskar
Vice President
Veridium

The First Horizon data breach is a stark reminder of the imminent dangers within the financial services industry due to the reliance on usernames and passwords. According to the Verizon Data Breach Investigations Report (DBIR), over 80% of data breaches occur due to credential theft resulting from passwords. Passwords are often weak or reused and can be easily stolen, guessed, or brute-forced.  

 

Traditional Two Factor Authentication (2FA) using a One Time Password (OTP), which is typically a

.....Read More

The First Horizon data breach is a stark reminder of the imminent dangers within the financial services industry due to the reliance on usernames and passwords. According to the Verizon Data Breach Investigations Report (DBIR), over 80% of data breaches occur due to credential theft resulting from passwords. Passwords are often weak or reused and can be easily stolen, guessed, or brute-forced.  

 

Traditional Two Factor Authentication (2FA) using a One Time Password (OTP), which is typically a 6 digit PIN sent over SMS, is also susceptible to a Man In The Middle (MTTM) attack. The National Institute of Science and Technology (NIST) confirms this and indicates that while OTP over SMS is better than just the password alone, it is still not good enough. A more modern approach is to leverage passwordless authentication methods such as “Phone as a Token” and/or FIDO2 security keys. 

 

The authentication method as well as the user journey can be intelligently adapted based on the situational risk based on the nature of the transaction, geolocation, and user behavior. Both methods are more secure and ensure a tighter trusted relationship between the registered user and their authentication credentials reducing the possibility of credential theft and mitigating against potential data breaches. Such technologies can be deployed for both consumers as well as internal employees and also offer much less friction for the end-user improving their experience and productivity in the process.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.