Use of TFA (two-factor authentication) goes back to the 1980s, when a key fob generated a numerical code for users to append to their passwords. The evolution of this method worked well for the better part of four decades — outlasting other ’80s innovations like two-pound cellular phones and Members Only jackets — but it’s past time to change the locks on digital defenses, particularly for banks.
This is not to say that all 2FAs are useless — and, since banks are required to use 2FA technology, we’re not suggesting they go completely rogue. The idea behind 2FA isn’t bad — the problem is in its execution. As there’s no digital leash tying the authenticator to the device, hardware tokens are still a viable way to protect access to critical data and systems. The problem is that many 2FAs aren’t using hardware. Even using an authentication app on a phone creates potential avenues for vulnerability, from email phishing to flaws in software features.
Cybersecurity has become too complex since the days of Walkmans and leg warmers for a security system to run on a “set it and forget it” mentality. Constant innovation is a must. The hard truth is SMS-based 2FAs are increasingly easier to hack, leaving millions of bank accounts vulnerable to cybercriminals waiting to pluck their PII — personally identifiable information.
The Nokia 2021 Threat Intelligence Report notes the increased risk of banking malware threats. Cyber criminals often start with a trojan to snatch one-time passwords with captured keystrokes or overlaying bank login screens. From there, they let themselves into the victim’s mobile bank account. These kinds of malware attacks have been most successful on Android devices because of their open-source code and ubiquity. That’s not to say that Apple’s iOS is fundamentally more secure — if there’s a weakness in any OS, persistent black hats will find it.
Even if a bank account owner is vigilant — protective software, regular OS updates, and a keen eye for phishing emails — there’s the matter of information in transit. Cybercriminals exploited a weakness in Signalling System No. 7 (also known as SS7), a telephony signaling language that allows text messages and phone calls to travel across the globe uninterrupted. Using SS7 to redirect text messages containing one-time passwords from their banks in order to access the accounts, hackers were able to bypass mobile bank 2FAs meant to protect users against unauthorized withdrawals. They then used mobile transaction authentication numbers (mTANs) to drain them. It’s shockingly easy to steal money these days.
While 2FA has its benefits — and it’s certainly better than no protection at all — the inherent problem is that it adds layers of security that can be circumvented once a device is compromised. Banks are under pressure to replace 2FAs with other methods such as adaptive authentication. This method evaluates a user’s login attempt and assigns a risk score based on the device, its location, the user’s role, or any other parameters security personnel set. If the attempt is considered medium risk, the user might be asked to verify certain credentials. If considered high risk, their access can be blocked. Because this process requires machine learning, its algorithms are never static; each user’s behavior, location, IP address, and more are monitored and recorded to proactively detect fraudulent access before it even shows up at the door.
Protecting the assets of a bank’s account holders should be a financial institution’s top priority, and in today’s digital frontier, that means staying multiple steps ahead of cybercriminals.