Lax Security Courts Liability, Says US CFPBRegulator Urges Adoption of Web Authentication MFA
A U.S. financial regulator concerned with consumer safety is encouraging banks to adopt passwordless logon to avoid post-data breach liability.
The Consumer Financial Protection Bureau in a new policy statement says the lenders under its jurisdiction run afoul of its prohibition against unfair acts or practices by failing to have adequate data protection.
The agency's statute authorizes it to police practices that likely cause a substantial injury to consumers when they can't be reasonably avoided and are unalleviated by other benefits. Poor cybersecurity is such a practice, the agency says. "Consumers cannot reasonably avoid the harms caused by a firm's data security failure," the new policy statement says. The agency is unaware of any instance when a court found countervailing benefits outweigh poor data security practices, it adds.
Lenders can take steps to avoid liability under the CFPB's prohibition of unfair practices by taking steps to mitigate the severity and avoidability of a data breach, the agency says.
Among them are multifactor authentication, including adoption of the Web Authentication method of consumer logon. Web authentication is "especially important," the agency says.
The standard, part of the FIDO2 Framework, turns devices such as a smartphone with a biometric scanner into a logon credential. It works when a bank or other institution agrees to accept a unique public-private key combination in the place of a traditional username and password. The private key necessary to activate the logon is stored on the user's device, which asks for proof of the user's identity, such as a facial scan or fingerprint reading.
Boosters of Web Authentication say it's better than other types of multifactor authentication such as one-time passcodes, which are susceptible to spoofing attacks. Hackers have increasingly turned to phishing messages with fake logon sites and capturing one-time passcodes (see: Microsoft Says Phishing Campaign Skirted MFA to Access Email).
"This is the first time a U.S. financial regulator has specifically recommended FIDO as being better than other forms of MFA," says Jeremy Grant, a managing director at Venable and an Information Security Media Group contributor.
Other steps lenders can take to avoid liability with the CFPB include better internal password management policies. Those policies should include monitoring for breaches at other sites, given people's propensity to reuse logons and passwords.
Lenders should also be updating software in a timely manner, the agency says. For an example of what not to do, it cites credit reporting agency Equifax. The Atlanta-based firm in 2017 failed to update a web server loaded with open-source web application framework Apache Struts, allowing Chinese military hackers to make off with data identifying about half of all Americans.
CFPB joined the Federal Trade Commission and 48 states to sue Equifax, a lawsuit that ended with Equifax agreeing to a multimillion-dollar settlement in 2019.