Multiple First Factor Questions Do Not Equal Multifactor Authentication
Last year, the FBI reported that a surge of Automated Clearing House (ACH) fraud committed by criminals stealing the online banking credentials of small and midsize businesses resulted in approximately $100 million in attempted losses. So far this year, the FBI’s Cyber Division is looking into more than 400 reported cases of corporate account takeovers resulting in approximately $85 million stolen with attempted theft of more than $255 million.
As these losses have been discovered and the online security practices at the banks or credit unions in question are examined, it has become apparent that there is cause for concern in the way multi-factor authentication schemes are implemented.
Earlier this year, the Federal Financial Institutions Examination Council updated their 2005 regulations requiring all financial institutions to implement multifactor authentication to protect customers’ online accounts. The regulations called for banks and finacial institutions to implement “layered security programs”.
Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods. Accordingly, properly designed and implemented multifactor authentication methods are more reliable and stronger fraud deterrents.
Existing authentication methodologies involve three basic “factors”:
• Something the user knows (e.g., password, PIN);
• Something the user has (e.g., ATM card, smart card); and
• Something the user is (e.g., biometric characteristic, such as a fingerprint).
Both the customer’s username/password combination and his email account information are “something you know” since most people protect their email account with a username and password also. Therefore, sending a one-time pass code to an email account is effectively still single-factor authentication. This is especially true of email accounts hosted and available directly over the Internet, as opposed to those protected by a firewall or VPN. Alternatively, true two-factor authentication uses an “out-of-band” device like the user’s cell phone or office phone to transmit the one-time pass code. This incorporates both the first factor (the user’s online bank account ID and password) and a second factor of “something you have” which is the pre-registered cell or office phone.
Despite the clear guidelines, many financial institutions and other businesses are implementing multiple instances of single-factor authentication and self-defining that as multi-factor authentication. Even with some form of identity verification (i.e., questions about mother’s maiden name or account balances), these practices are not enough to deter cyber thefts. As social sites and sharing online have profliforated, personal information such as mother’s maiden name and other historically private demographic data can be easily found through simple online searches and used to circumvent security on an account.
Additionally, the methods used by many institutions to handle customers’ password reset requests have proven to be problematic. As we learned when several large Web-based mail providers were hacked, sending a link to an alternative e-mail account (with a hint on the Password help page about which account is used) or requesting the answer to a single secret question are not sufficiently secure procedures. Security is increasingly compromised through phishing or Trojan horses, especially on customers’ personal computers where businesses have no control over the security of the machine.
These issues point to the critical need for best practices in security and defense-in-depth through the use of up-to-date password policies and true two-factor authentication. Please contact us to speak to a specialist about account security and multifactor authentication. If you are interested in learning more about Equifax technologies and analytical services, sign up for our monthly newsletter.
Recommended For You
Online consumers can make their purchase with various payment options, like credit card, Apple Pay or PayPal. As a result, […]
As an HR professional, it’s your priority to protect employee data. You may not realize it, but responding to employment […]
Hackers. They steal and sell data, especially at the point of sale and during customer acquisition periods. No customer wants […]
The growth of identity fraud shows few signs of slowing and technology has enabled easier access to consumer data that […]