Identity attacks in the financial sector: Why strong, hardware-based authentication is now essential

In my latest blog post, I take a closer look at the financial sector. What challenges does the industry face? What solutions exist, and what are their benefits? Finally, I share my conclusion.

Introduction

The financial industry has always been a favorite target for professional cybercriminals. With the increasing digitization of banking transactions, customer portals, and internal processes, the attack surface is increasingly shifting to digital identities. Today, attacking financial institutions often no longer requires access to the data center—a compromised account is often sufficient.

In this article, I examine:

• Which identity attacks are currently most relevant
• Which legal requirements mandate protective measures.
• Why strong, hardware-based authentication – for example, with the iShieldKey – is the right answer.
• What specific benefits decision-makers can derive from this

1. Cyberattacks on identities: The underestimated vulnerability

Digital identities are now the key to almost all systems in banks, insurance companies, and FinTechs. Cybercriminals specifically target digital identities to steal or circumvent them. The most common forms of attack include:

• Phishing (and spear phishing)
• Man-in-the-middle attacks
• Credential stuffing
• SIM swapping
• Session hijacking

Out of these attack vectors phishing is the most common one. According to the Trustwave 2024 Financial Services Threat Report, 49% of cyberattacks in the financial sector are phishing-related. Also, such a security incident caused by such an attack can be very costly. A recent IBM report revealed that the average cost of a data breach in finance reached $5.9 million in 2024.

Physical access is also often overlooked:

Employee end devices, access to terminal servers, or remote access in branches are attack vectors if they are not secured by strong local authentication. But an open office door or access to a sensitive area like a data center could also be potential vector for an attack. Have you ever thought about what could happen if an attacker gained physical access to an admin workstation or a development computer?

2. Regulatory requirements: Clear guidelines for secure authentication

The legal requirements are clear – especially regarding the protection of sensitive data, access and infrastructure. Particularly relevant are:

In the EU: PSD2, FIDA, DORA, NIS2, KRITIS

In the US: 23 NYCRR 500, GLBA + FTC Update, CISA, SEC Cybersecurity Rules

Global: ISO27001, PCI-DSS

All these require not only digital security measures, but also that physical access to critical IT systems be strictly controlled and traceable. This includes who uses which device when and where – and how to ensure that this use was authorized.

3. The solution: Phishing-resistant, hardware-based authentication – digital and physical

A comprehensive security approach protects identities both digitally and physically. The iShieldKey combines these requirements in a single, highly secure authentication token.

Digital authentication:

FIDO2 support: Phishing-resistant, passwordless, locally validated.

Certificate-based authentication: Secure for VPNs, Windows logins, VDI, or zero-trust environments.

Private key remains on the device: Protection against theft or malware.

Physical access:

Lockable access to workstations, branch terminals, or retail workstations.

Integration into building control systems possible: One token for door access AND login – a combined physical-digital security architecture.

Example: An iShieldKey can be a prerequisite for starting a work computer or accessing confidential customer files – whether in the office or via remote access. No token, no access.

4. Business case for decision-makers: An investment with a high return

Holistic protection of IT and infrastructure

By combining digital and physical access protection, companies can centralize and simplify their security architecture. The key supports FIDO2 and PIV as well as major physical access systems such as MIFARE, HID and LEGIC.

Compliance-ready with minimal effort

Hardware authentication complies with current regulations by design. It integrates easily in any existing identity access and management platforms by using modern phishing proof authentication mechanisms.

Employee-friendly and future-proof

A token replaces password lists, TAN procedures, SMS codes, and multiple logins – user acceptance is demonstrably high. Also, the key can be updated and patched if necessary. There is no need any more to collect outdated keys and replace them with keys running the latest firmware. Ready for today and the day after tomorrow!

Significantly lower risk of data leaks

A lost device is not a problem if access is tied to a hardware token which is carried separately from the device.

5. Conclusion: Security begins with identity – and does not end at the office door

Modern attacks no longer distinguish between physical and digital access. Strong authentication with hardware tokens such as the iShieldKey offers comprehensive protection against identity theft – phishing-proof, compliant, and easy to integrate into everyday life of employees and your highly valued customers. And with Swissbit, you gain a trusted European partner ready to secure your digital transformation journey.

Would you like to consider your physical and digital access together?

We would be happy to show you how you can build a scalable security architecture with a hardware token without compromising productivity. Convince yourself of our expertise and just contact us!