PaymentsJournal
No Result
View All Result
SIGN UP
  • Commercial
  • Credit
  • Debit
  • Digital Assets & Crypto
  • Digital Banking
  • Emerging Payments
  • Fraud & Security
  • Merchant
  • Prepaid
PaymentsJournal
  • Commercial
  • Credit
  • Debit
  • Digital Assets & Crypto
  • Digital Banking
  • Emerging Payments
  • Fraud & Security
  • Merchant
  • Prepaid
No Result
View All Result
PaymentsJournal
No Result
View All Result

Why Multi-Factor Authentication Isn’t as Secure as Financial Institutions Think

By Matthew Gracey-McMinn
April 12, 2022
in Authentication, Emerging Payments, Featured Content, Fraud & Security, Fraud Risk and Analytics, Industry Opinions, Security
0
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn
Why Multi-Factor Authentication Isn’t as Secure as Financial Institutions Think

Why Multi-Factor Authentication Isn’t as Secure as Financial Institutions Think

“We would like to text or call you with a code.” That familiar phrase usually means multi-factor authentication (MFA) is in play. It’s an added layer of protection that businesses are using to protect accounts, and it’s become commonplace at financial institutions to secure personal data. From banks to brokers to crypto wallets, there is an expectation that it is implemented by institutions. However, MFA is far from foolproof. Criminals can still find their way around it to carry out attacks. 

The holy grail for hackers is to successfully takeover an account utilizing techniques such as credential stuffing. This requires the attacker to acquire a list of username and password pairs and then thrust the credentials onto login pages using bots. The speed and volume at which bots can fill in login forms helps the hacker find a winning credential combo quickly. The data used often comes from leaks, stolen device fingerprints, or session cookies sold on the dark web or marketplaces like Genesis Market.

So, suppose a criminal launches an attack that could be attempting millions of logins within a few hours. In that case, the success rate can yield hundreds or thousands of accounts. Credentials can be validated and used to reset a password, completely control an account, and even transfer funds elsewhere. 

Multi-factor authentication can stop an account takeover following a successful credential stuffing attack by requiring more than just a password to validate a legitimate login and prevent automated attempts. But it’s not airtight. Some sites use 2FA (two-factor authentication), a type of MFA that uses two factors for login, such as credentials and a device.

The secret ingredient for hackers to bypass MFA security is using a combination of bots and human intervention. The goal is to either sidestep the need to use MFA for access or use tricks to fool account owners into handing over MFA codes. 

Here are the five most common techniques financial services organizations need to know about:

  1. Targeting financial aggregator sites. APIs are easily exploitable via financial aggregator sites. Customers of services such as Mint or Plaid use these apps to manage their finances, aggregating accounts into a single view. These apps can access account information and even make changes using the bank’s API or a web app, sometimes without requiring MFA. A threat actor can perform credential stuffing using a financial aggregator app to bypass MFA controls or can target the aggregator app itself taking over a customer’s account there and thereby getting some degree of access to their banking information. 
  • Stealing security questions with social engineering. The most common method of verifying a user’s identity is through security questions. Security questions are often in place to bypass MFA if users lose or don’t have access to their device. Attackers use social engineering, which can be as simple as looking at social media profiles, to answer common security questions and access accounts without MFA. Bots can then use credential stuffing techniques to bypass MFA and input answers to security questions using brute force or publicly available data.
  • Generating phishing scams. Phishing is one of the most popular means of acquiring sensitive information such as passwords or answers to security questions. Attackerstry to convince individuals to visit a fake login page and input the MFA code. The threat actor might also email or phone an individual and impersonate their bank to ask for the MFA code. In this way, attackers gain access to MFA codes maliciously rather than bypass MFA.
  • Exploiting Man-in-the-middle (MITM) tactics. The threat actor positions themselves between the bank and the customer (often using malware) and intercepts messages between them. This tactic is used to acquire an MFA code by linking to a fake page asking for the code.
  • Using SIM swapping techniques. Bad actorsintercept text messages sent to a user’s phone number and send them to another handset. This is accomplished by calling the user’s SIM provider, impersonating the customer, and passing on security questions. The criminal convinces the provider to swap the phone number to the attacker’s SIM card. Once set up, they use the phone number as authentication to access the account.

Multi-factor authentication might present a more vigorous defense than using a password, but it’s not a fool-proof guarantee against successful attacks. Bypassing MFAs may require human intervention, but it can still happen. When you factor in bots attacking at scale, the risk increases, and the success rate becomes much higher. Banks need to be on the lookout for malicious activity and educate customers about deceptive behavior such as phishing and social engineering. Adding extra layers of security to stop the bot attacks that are the precursor to the phishing and social engineering attacks will also help to protect systems. Don’t forget, security requires greater depth to successfully deal with more sophisticated criminals. Financial institutions must stay one step ahead. 

0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn
Tags: AuthenticationCybercrimeFinancial InstitutionFraudFraud DetectionFraud PreventionFraud Risk and AnalyticsMan in the MiddleMFAMulti-Factor AuthenticationPhishing AttacksSecuritySocial EngineeringTwo-Factor Authentication

    Get the Latest News and Insights Delivered Daily

    Subscribe to the PaymentsJournal Newsletter for exclusive insight and data from Javelin Strategy & Research analysts and industry professionals.

    Must Reads

    AI Is Turning Accounts Receivable Into a Strategic Powerhouse

    AI Is Turning Accounts Receivable Into a Strategic Powerhouse

    July 15, 2025
    Embedded Finance

    Embedded Finance: Bringing Payments Under a Single Umbrella

    July 14, 2025
    Making Real-Time Payments a Reality

    Fulfilling the Promise: Making Real-Time Payments a Reality

    July 10, 2025
    mortgage

    The Rich Benefits of In-House Payment Systems

    July 9, 2025
    digital cards

    Beyond Plastic: Why Digital Cards Are the Future

    July 8, 2025
    What Premium Card Overhauls by Chase and Amex Reveal About the Credit Card Market

    What Premium Card Overhauls by Chase and Amex Reveal About the Credit Card Market

    July 7, 2025
    Rewire Acquires Imagen, Looking at Prepaid Cards for Migrant Workers

    Smells Like Team Spirit: What Makes Cobranded Credit Cards Work

    July 3, 2025
    uk banking outages

    New Continuous Strategies for Battling Account Takeovers

    July 2, 2025

    Linkedin-in X-twitter
    • Commercial
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Digital Banking
    • Commercial
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Digital Banking
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    • About Us
    • Advertise With Us
    • Sign Up for Our Newsletter
    • About Us
    • Advertise With Us
    • Sign Up for Our Newsletter

    ©2024 PaymentsJournal.com |  Terms of Use | Privacy Policy

    • Commercial Payments
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    No Result
    View All Result