In an SEC filing on Wednesday, First Horizon Bank of Tennessee revealed that login credentials were used by “an unauthorized party,” exploiting third-party security software to remove millions from approximately 200 accounts. Excerpt:
In mid-April, First Horizon Corporation (the “Company”) became aware of a data security incident affecting a limited number of customer accounts. Based on its ongoing investigation, the Company determined that an unauthorized party had obtained login credentials from an unknown source and attempted access to customer accounts. Using the credentials and exploiting a vulnerability in third-party security software, the unauthorized party gained unauthorized access to under 200 online customer bank accounts, had access to personal information in those accounts, and fraudulently obtained an aggregate of less than $1 million from some of those accounts.
<p>The First Horizon data breach is a stark reminder of the imminent dangers within the financial services industry due to the reliance on usernames and passwords. According to the Verizon Data Breach Investigations Report (DBIR), over 80% of data breaches occur due to credential theft resulting from passwords. Passwords are often weak or reused and can be easily stolen, guessed, or brute-forced. </p> <p> </p> <p>Traditional Two Factor Authentication (2FA) using a One Time Password (OTP), which is typically a 6 digit PIN sent over SMS, is also susceptible to a Man In The Middle (MTTM) attack. The National Institute of Science and Technology (NIST) confirms this and indicates that while OTP over SMS is better than just the password alone, it is still not good enough. A more modern approach is to leverage passwordless authentication methods such as “Phone as a Token” and/or FIDO2 security keys. </p> <p> </p> <p>The authentication method as well as the user journey can be intelligently adapted based on the situational risk based on the nature of the transaction, geolocation, and user behavior. Both methods are more secure and ensure a tighter trusted relationship between the registered user and their authentication credentials reducing the possibility of credential theft and mitigating against potential data breaches. Such technologies can be deployed for both consumers as well as internal employees and also offer much less friction for the end-user improving their experience and productivity in the process.</p>