Two-factor authentication vulnerable to evolving phishing attacks
Implementing best practices for customer authentication is one way organizations thwart fraud attacks. This process includes deploying two factors of authentication highly recommended by federal agencies such as the Federal Financial Institutions Examination Council (FFIEC) and the National Institute of Standards and Technology (NIST).
The recent article, “Two-Factor Authentication May Not Keep You Safe,” however, explains that while using at least two factors of authentication to identify customers has been a common practice for many years, even some best practices remain vulnerable to evolving phishing attacks.
In the article, a report by Amnesty International found that fraudsters use techniques that can bypass two-factor authentication to access peoples’ account details. The way it works is, scammers set up fake websites that resemble a target’s bank. Then, an email is sent asking people to update their information or their account will expire. The email includes a link to the phony website. Thinking they are logging into their bank’s website, the victim types in their password into the phishing site, which the scammers use to access the victim’s account on their bank’s real website.
The second part of this scam covers the second-factor, one-time code.
After the person enters their information, the hacker uses the password to log into their real bank account. This prompts the one-time code that the victim enters without thinking that it’s for the real account that the fraudster is trying to access. This completes the hacker’s login to the real account, in which they can now change the password and hijack the customer’s account.
With two-factor processes still vulnerable to evolving phishing scams, authentication solutions that include ownership-based authentication are emerging as the best choice to establish identity across all customer channels.
This is not to say that two-factor authentication is no longer useful. It is. Organizations should deploy and continue leveraging a multi-factor authentication process to accurately identify customers over all sales channels, including the call center. But knowing that there are still instances where even two-factor authentication can be compromised, banks need to make sure the credentials they are relying on to authenticate callers are fast and effective.
For example, after years of having employees use an authenticator app as a second factor of authentication for employee login, Google had its employees switch to using a physical security key that they need to insert into their computer to log in. Today, Google is not the only organization that recognizes ownership-based authentication as an effective form of customer identification. Companies like Visa and Amazon have also taken steps to use physical ownership tokens to identify customers.
What this all comes down to is this: as long as authentication systems are vulnerable to evolving fraud tactics, organizations’ authentication processes need to evolve, too. With many companies becoming more confident with using a physical phone or device to identify customers, ownership-based authentication is emerging as a strong token for customer authentication.