By Sarah Duffy • July 5, 2016

2FA: Where Is It Heading?

Websites and apps have turned to “two-factor” authentication (2FA) as a means to help deter fraudsters and criminals from accessing and stealing their unsuspecting customers' information. The most common 2FA method includes a one time password (OTP) that is often implemented when a consumer attempts to access a service or conduct a transaction.

The approach uses two factors - something you have and something you know. How it works is pretty simple and you’ve probably gone through the process once or twice. Here’s an example: A couple days ago I bought some concert tickets online. Before processing my purchase, the ticket site sent a text message to my phone that said “Here’s your verification code: 251995”. I typed that code into my internet browser and continued on with my transaction. Pretty safe, right? They know that its the real me because I told them the secret code that only I would know. Actually, it could be a lot more complicated, and a lot more dangerous than that.

Today’s cybercriminal has a long list of tools used to extract data to access your bank account, and even worse, your personal information. That means, in terms of my example, that the ticket purchasing website would have no way of distinguishing me typing the access code from a thief who stole my phone typing the access code. What about distinguishing me from a hacker with my phone number? It's easier than ever for hackers to gain access to both your phone number or any code sent to your phone number without you ever knowing.

“Sim-splitting” is the common term for the hijacking of a person’s 2FA pin-code via their mobile phone number to gain access to their financial accounts. From January 2013 to January 2016, the number of these SIM-splitting attacks reported to the FTC has almost doubled, accounting for 6.3% of all identity theft cases.

According to the Kaspersky Security Bulletin, 1.9 million attempted malware infections solely dedicated to stealing money via online banking accounts. Those numbers are projected to increase by the end of 2016.

Who’s doing this and how? There are multiple means by which hackers gain access to another person’s financial account. Man-In-The-Browser (MITB) attacks are becoming increasingly prevalent. A MITB typically operates through phishing links or by compromising a legitimate website. MITB is a type of trojan malware that inserts itself between the user and the browser. In the event of a transaction, the MITB will program its malware to add extra fields to the user’s content. The unsuspecting user fills out all fields believing that they are mandated by the compromised website, thus allowing entered credentials to be extracted and used fraudulently. Other common attacks are accomplished either by purchasing personal information from black market sellers or by stalking the individual’s public social media accounts, thus gaining knowledge that is then used to answer security questions.

Once they have enough personal information, the fraudster then calls the victim's mobile carrier, claiming to be the victim and requesting a replacement SIM-card for a stolen/lost cell phone. Once the new SIM-card is attached to the hacker’s cell phone, it’s game-over. The hacker now has unlimited access to bank account transfers via 2FA to the new SIM-card. By the time the fraudulent activity is intervened, or even noticed by the victim, there has likely already been several massive transactions.