Identity attacks in the financial sector: Why strong, hardware-based authentication is now essential

In my latest blog post, I take a closer look at the financial sector. What challenges does the industry face? What solutions exist, and what are their benefits? Finally, I share my conclusion.

The financial industry has always been a favorite target for professional cybercriminals. With the increasing digitization of banking transactions, customer portals, and internal processes, the attack surface is increasingly shifting to digital identities. Today, attacking financial institutions often no longer requires access to the data center—a compromised account is often sufficient.

In this article, I examine:

• Which identity attacks are currently most relevant
• Which legal requirements mandate protective measures.
• Why strong, hardware-based authentication – for example, with the iShieldKey – is the right answer.
• What specific benefits decision-makers can derive from this

Digital identities are now the key to almost all systems in banks, insurance companies, and FinTechs. Cybercriminals specifically target digital identities to steal or circumvent them. The most common forms of attack include:

• Phishing (and spear phishing)
• Man-in-the-middle attacks
• Credential stuffing
• SIM swapping
• Session hijacking

Out of these attack vectors phishing is the most common one. According to the Trustwave 2024 Financial Services Threat Report, 49% of cyberattacks in the financial sector are phishing-related. Also, such a security incident caused by such an attack can be very costly. A recent IBM report revealed that the average cost of a data breach in finance reached $5.9 million in 2024.

Employee end devices, access to terminal servers, or remote access in branches are attack vectors if they are not secured by strong local authentication. But an open office door or access to a sensitive area like a data center could also be potential vector for an attack. Have you ever thought about what could happen if an attacker gained physical access to an admin workstation or a development computer?

The legal requirements are clear – especially regarding the protection of sensitive data, access and infrastructure. Particularly relevant are:

In the EU: PSD2, FIDA, DORA, NIS2, KRITIS

In the US: 23 NYCRR 500, GLBA + FTC Update, CISA, SEC Cybersecurity Rules

Global: ISO27001, PCI-DSS

All these require not only digital security measures, but also that physical access to critical IT systems be strictly controlled and traceable. This includes who uses which device when and where – and how to ensure that this use was authorized.

A comprehensive security approach protects identities both digitally and physically. The iShieldKey combines these requirements in a single, highly secure authentication token.

FIDO2 support: Phishing-resistant, passwordless, locally validated.

Certificate-based authentication: Secure for VPNs, Windows logins, VDI, or zero-trust environments.

Private key remains on the device: Protection against theft or malware.

Lockable access to workstations, branch terminals, or retail workstations.

Integration into building control systems possible: One token for door access AND login – a combined physical-digital security architecture.

Example: An iShieldKey can be a prerequisite for starting a work computer or accessing confidential customer files – whether in the office or via remote access. No token, no access.

By combining digital and physical access protection, companies can centralize and simplify their security architecture. The key supports FIDO2 and PIV as well as major physical access systems such as MIFARE, HID and LEGIC.

Hardware authentication complies with current regulations by design. It integrates easily in any existing identity access and management platforms by using modern phishing proof authentication mechanisms.

A token replaces password lists, TAN procedures, SMS codes, and multiple logins – user acceptance is demonstrably high. Also, the key can be updated and patched if necessary. There is no need any more to collect outdated keys and replace them with keys running the latest firmware. Ready for today and the day after tomorrow!

A lost device is not a problem if access is tied to a hardware token which is carried separately from the device.

Modern attacks no longer distinguish between physical and digital access. Strong authentication with hardware tokens such as the iShieldKey offers comprehensive protection against identity theft – phishing-proof, compliant, and easy to integrate into everyday life of employees and your highly valued customers. And with Swissbit, you gain a trusted European partner ready to secure your digital transformation journey.