Authentication capabilities have evolved vastly in recent years. In the beginning, a combination of username and password was all that was needed for authenticating an end user’s identity online. If more stringent authentication was required, a second “factor” such as a passcode, or knowledge-based question could be requested. A popular second-factor methodology was and still is, to send a one-time passcode (OTP) to a user’s mobile device.
But the OTP is often sent over SMS, which is potentially vulnerable to hacking. So all a fraudster needs to get access to your account is your username/password and your mobile phone number. Username/password is easy enough. Since 2013 nearly 10 billion data records have been exposed and are available to cybercriminals. (Gartner Report: Market Guide for Online Fraud Detection, January 2018) And two of the most popular passwords in use today are, you guessed it, “123456” and “password.” Then all one needs is your mobile phone number, which is not at all difficult for a cunning cybercriminal to obtain. It is easy to do a SIM swap and impersonate you or pull it off a social website. And once access has been granted to your account, depending on your level of authorization or security clearance, everything else is accessible. The fox is in the henhouse, so to speak.
What about knowledge-based questions, you might ask? Perfectly legitimate question. Knowledge-based questions can certainly add a layer of assurance. These higher-friction authentication methods can definitely be effective and are valuable for high-risk transaction requests. In the case of social networks, those transactions are not always seen as vulnerable, so knowledge-based questions are not always employed at every login point.
The recently-announced data breach at Reddit is just one example of the weakness of two-factor authentication. The user’s account was protected by two-factor authentication which a fraudster was able to breach by intercepting the SMS authentication. And since the breached account had access to customer and company information, including database backups, all of it was available to the fraudster. Reddit is by no means alone. Yahoo and LinkedIn are just two more examples of massive data breaches in sites that were protected by two-factor authentication. And, as evidenced by these examples, it’s not only ecommerce sites that need this protection. It’s any site that stores user or other sensitive information.
So what can you do to protect your site and your users and still give them a satisfactory visit? Simple. Employ a dynamic, context-aware multi-factor authentication solution.
ClearKey has the ability to match a user account to a device, or multiple devices, and recognize that paring at login. This authentication is done transparently; the user doesn’t have to do anything. ClearKey performs a deep analysis of the login device to make sure it is one that is registered to the account. If a fraudster is attempting to evade detection or spoof the device characteristics, ClearKey will detect it. Then, even if they are able to intercept an SMS message, it won’t do them any good.
And ClearKey can be used to authenticate at any step in the customer journey. For relatively harmless transactions, like checking a balance, perhaps ClearKey authentication is all the business requires. For more risky transactions, like transferring funds, LaunchKey can be employed as an additional authentication factor. With LaunchKey the transaction can be authorized on your mobile phone by entering a PIN code, or circle code or with a simple fingerprint.
The bottom line is that fraudsters are getting better at their jobs and two-factor authentication comes with new risks when it comes to securing online websites and users. Today’s websites need to deploy a true dynamic multifactor authentication solution to protect against fraud while providing users with a satisfactory online experience.