It's seemingly an everyday occurrence: You want to access your Outlook email, you have to wait for a passcode to be sent via text message. You want to check the status of a dental claim on your insurance website, you have to verify it's you after entering the password with an email confirmation. You want to place an order for a Chipotle burrito on the mobile app, you are challenged with holding your phone at a 60 degree angle while performing a preset dance routine that symbolizes your love for burrito bowls while the app scans your retina for verification that nobody else is hacking your lunch order. While the process of two-factor authentication may irritate you when in a hurry, it is quickly becoming more commonplace, accepted and part of our daily routine. But... is it really necessary?
Login information for websites, financial sites included, used to be a simple username and password challenge. A few episodes into Mr. Robot will demonstrate the vulnerability of that: Usernames are typically emails or a variation of first and last names; user-created passwords often a combination of your pet's name and your street address (or kid's name and birthdate, or a favorite band and graduation year, etc).... all of which is easily discovered on social media platforms. It didn't take long for criminals to hack "JinxyCat93", so over the years, many measures have been put in place to increase the security of accessing these accounts.
Two-factor authentication (2FA) can be implemented in a variety of ways: Unique one-time use codes sent via text message or email address to the information on file for that account, security question challenges, facial recognition and more. Some banking and corporate organizations employ physical devices that are given to each account holder that generate a new passcode required when the person logs in. The more complex the process, the more secure it may be, but the more cumbersome it is on the end user.
In 2017, a survey of cybersecurity professionals found that 74 percent of organizations that use two-factor authentication receive complaints from users about the process. Nearly 10 percent of respondents said they actually hate it. However annoying as it may be, people who use it do feel more secure about their data and their accounts. But there are still loopholes.
Sophisticated phishing scams are one of the biggest problems with cybersecurity today, and they can be masked as a form of 2FA. Hackers design fraudulent websites that look nearly identical to the real ones. They then send emails that look and feel as if they are coming from the bank or credit union and alert members that their account is about to expire or is missing some data. Members who are duped will click on the fake site, which fraudulently captures their login information. Immediately, the hacker enters this information on the real website, which generates the text message to the member. The member unknowingly enters the code on the fake site, which is immediately entered in to the real site by the hacker, gaining access to the account.
Another vulnerability is the phone itself. As a physical device, phone hijacking is increasingly an issue, rising from about 380,000 in 2017 to some 679,000 in 2018. With text messages to phones being one of the most popular verification methods in 2FA, this potential loophole emphasizes that the process is not without its flaws.
The bottom line: Every added layer of security is better than none at all. A home security system won't guarantee your home will never be burglarized, but it is certainly better than leaving the house with door and windows wide open. Putting two-factor authentication to work at your credit union will not put all of your security woes to rest, but it will provide members a greater sense of trust, as well as an added layer of protection.
Download our eGuide to learn how you can give your members a stronger and higher level of security along with added peace of mind through SMS Two-Factor Authentication with FLEX.