BioCatch has been discussing the limitations of two-factor authentication for awhile, not for the purposes of raising alarm bells, but to offer a unique solution on how to provide a clear sense of security throughout an online session where traditional approaches are failing us.
In the last few weeks, the drumbeat of news points to continued failures of two-factor authentication, making a louder and louder call for our institutions and stakeholders to think differently about information security.
The most common method of two-factor authentication relies on security codes texted via SMS or phone calls to authenticate users. While this may be simple and straightforward, it fosters a false sense of security, as today’s fraudsters have many ways to circumvent device recognition, geo-location and other static means of authentication.
The Phone-Jacking Scam: 2FA Fails the Test
In fact, the latest example of two-factor authentication failing was reported by the New York Times. The New York Times describes fraudsters taking control over victim’s phone numbers directly from the telecommunications companies, essentially transferring the phone number to their device. Once they have control over the phone number, they are able to reset the passwords on any account that uses the phone number as the security backup. The article goes on to discuss this method being used to specifically target owners of virtual currency accounts, identifying them by their activities on social media. According to the Federal Trade Commission, as of January 2016 (the most recent date for which this data is available), “phone hijacking” scams represented 6.3% of all the identity thefts reported for the month, stating that the thefts involved all four of the major mobile carriers.
Weak Passwords Still a Problem for Two-Factor Authentication
Another recent report on the failures of two-factor authentication comes from Microsoft, which has also noticed a surge in user account attacks. According to Dark Reading, the latest Security and Intelligence Report shows a 300% increase in user account attacks since 2016, caused by weak passwords, phishing attacks, ransomware, and malware.
Phishing-as-a-Service Shows Disadvantages of 2FA
Finally, besides the widely reported hacks and data breaches that continue unabated, “phishing-as-a-service” or “identity-theft-as-a-service” is yet another way that scammers and hackers are circumventing traditional two-factor authentication mechanisms. According to Imperva’s Hacker Intelligence Initiative, users (scammers) have access to a service on the black market that allows them to choose from a variety of potential scam pages -- including social media, banking, retail, telecom, utility, gaming, and dating -- which once chosen, will generate a link to be sent to victims. Any credentials stolen will be stored on the user’s personal dashboard. A campaign using phishing pages, a spam server, an email list of 100,000 addresses, and access to compromised servers could be carried out for as little as $27.
Two-Factor Authentication Does Not Address the Need for Dynamic, Continuous Authentication Solutions
Leading financial institutions are realizing that they cannot rely on static two-factor authentication measures. Fraud continues to occur even in sessions that were considered to be properly authenticated. Looking at new dimensions, like user behavior, is showing tremendous promise for catching anomalies in a session even when all other elements look to be valid. Analyzing different factors that cannot be stolen, copied or recorded is the added dimension that is missing from current security protocols. Techniques like BioCatch Invisible Challenges ensures a continuous, dynamic approach to authentication in a session.
Read more about Invisible Challenges, here.