US regulator urges MFA and puts banks on notice – not reasonably protecting data is illegal
A U.S. consumer finance regulator has published a circular warning that insufficient security for consumer biometric and other personal data is illegal under federal law. Multi-factor authentication is singled out as a method of making data security sufficient.
Anyone reading that who still thinks it will never happen to them is invited to read on to find out about the tech company who just fell victim.
The Consumer Financial Protection Bureau says that not protecting the data can be found to be an unfair practice under 12 U.S.C. 5536 for financial institutions. Officials cite preventative practices that can minimize risk.
Using industry standards to secure consumer data is a reasonable way to avoid harm, according to the bureau. And doing so is not “outweighed by countervailing benefits to consumers or competition.”
The government says it is confident that no court has or will find a countervailing silver lining in the injury a consumer suffers due to or likely due to poor security practices.
Poor software update policies, ID authentication and password management “are likely to cause substantial injury to consumers.” What is more, actual harm can occur even if there is no data breach because the impact of losing some data could have great and irreparable damage.
The bureau points out that multi-factor authentication (as prescribed by the FIDO Alliance), strict password management and software updates all can make it harder to steal or leak biometric and other consumer data.
Nothing is foolproof, however.
Tech and science publication Ars Technica has reported on two digital security companies have been hit with phishing attack by “an advanced threat actor.”
Three employees at content platform Cloudflare fell for the attack. The company appears to have been spared unauthorized access to its systems because it uses hardware-based MFA keys.
Twilio, a two-factor authentication services firm, was not so lucky. Multiple employees were fooled into disclosing credentials that then were used to get access to internal access including to multiple customer accounts.
Ars Technica has a detailed outline of how the attacks, apparently related, were accomplished.