Security is always going to be an ongoing battle, a struggle to resist the criminals who want to access your data or steal from your customers.
And so it’s not surprising that scammers are finding ways to penetrate systems secured with two-factor authentication (2FA) – and that organisations are increasingly turning to multi-factor authentication (MFA) to deter criminals and protect data.
Before we look at some of the techniques used to bypass 2FA, let’s clarify what we mean by 2FA and MFA and why the latter is more secure.
With 2FA, your customers must use two forms of authentication to gain access. In most cases, the two factors are a password and something in their possession, such as a security token.
Multi-factor authentication typically refers to a system that requires three or more factors to verify identity.
Authentication factors are grouped into categories:
Knowledge – something that the user knows, such as a password, PIN, or the answers to secret questions
Possession – something the user keeps, such as a key fob, dongle, or a message sent to their phone
Inherence – something unique to the individual, such as biometric information or their voice
Location – checking the user’s location with a GPS-enabled smartphone
Time – verifying that the user is carrying out tasks at a logical time, and not making purchases in London and Budapest ten minutes apart
2FA: undermined by determined scammers
While 2FA is more secure than simply using a password, it can be circumvented by determined hackers.
One technique for bypassing 2FA protections involves the scammer calling a customer and posing as their service provider.
The scammer claims that the customer’s account has been compromised, but they need the victim to confirm their identity. They send the victim a code by text message and ask them to read it back. The scammer may ask the victim to repeat the process several times, claiming that it didn’t work on the first attempt.
Eventually the scammer will claim to have confirmed the victim’s identity, and then they may discuss recent activity or orders on the customer’s account, asking the victim to confirm that they’re real.
They’ll invent one false purchase or order so the story sounds legitimate – and that there has genuinely been fraudulent activity on the victim’s account. The scammer offers to reverse the transaction and sends the victim one more code. The problem appears to be resolved and the victim feels relieved, thinking that everything is fine. But of course, the caller was a scammer and the codes were one-time passcodes (OTP) sent to approve changes to their accounts or to place orders.
Another scam involves scammers creating fake login pages for services like Google, Yahoo and Facebook. They send spoof emails to users, telling them that their account has been compromised, or that hackers have sensitive information such as their pictures. Users are instructed to login to protect their account, but, the fake page is simply harvesting information for the scammer. The scammer then uses the information to gain free access to the victim’s account. If the service uses 2FA, then the user simply enters the OTP code in the fake page – handing it directly to the scammers. The criminals can then sign in, change your password and harvest valuable information to support further scams and thefts.
Regulations encourage move to MFA
In the US, interest in MFA has been pushed by regulations such as the Federal Financial Institutions Examination Council (FFIEC) calling for advanced authentication for online transactions. In the UK, GDPR is renewing the focus on organisations’ obligations to protect user data.
The Information Commissioner’s Office (ICO) states: “A key principle of the GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’. Doing this requires you to consider things like risk analysis, organisational policies, and physical and technical measures.”
In both jurisdictions, regulators may take a dim view of those organisations that don’t take adequate precautions to reduce the risk of data breaches. And while MFA is the current leader in the digital security arms race, it’s only a matter of time before criminals find techniques to undermine this approach. Tech companies and customer service organisations must continually strive to tighten security and keep several steps ahead of organised crime.