If Two-Factor Authentication (2FA) Is Not Bulletproof, How Will We Authenticate?

In the past couple of years, we have repeatedly been reminded of the weakness of passwords as an authentication method. High-profile breaches with millions of lost credentials, sophisticated desktop malware, advanced mobile malware, phishing scams and other attacks have proven time and time again that a username and password combination cannot provide the adequate evidence required for authentication.

One of the most popular and trusted methods for strong authentication has been the use of one-time passwords (OTPs) in the form of tokens. While OTP tokens are used to deter attackers due to the need for real-time data from the potential victim, today’s malware is specifically designed to circumvent this security measure.

As two-factor authentication (2FA) is based on the assumption that two of the three factors of authentication are used (something you know, something you have and something you are), tokens no longer qualify as “something you have.” The moment a user looks at a token’s randomly generated number, it becomes something he knows. While this new password does have a short time to live, it is still just another password in the user’s possession. As we have witnessed repeatedly, extracting passwords from an end user with malware is not a difficult task.

Targeting OTPs is nothing new. Today’s cybercriminal has a long list of tools that can be used to extract everything from passwords to secret questions, token-generated passwords and even device ID data.

Cybercriminals regularly defeat SMS passwords, emulate users’ online behavior and even outsmart combinations of smart cards, passwords and unique card readers. Phishing attacks dating back to 2008 used OTP-stealing mechanisms by asking victims repeatedly for their token-generated password. The criminal simply monitored his command-and-control server and attempted to use these credentials as they were stolen and sent to his server in real time.

When malware became cybercriminals’ main tool, malware designers and users approached the OTP issue through social engineering and HTML injection. From login page OTP stealers to SMS OTPs, everyone — not just financial institutions — was targeted. Some techniques were so good that gangs started copying ideas from one another. Even in a recent court case, multifactor authentication alone as a method of authentication was not deemed secure enough.

All in all, a cybercriminal can now choose between simple credential-stealing tools that will report the OTP in real time to sophisticated remote-session hijacking if there is an OTP challenge.

Top Challenges With Biometrics

One rising but infrequently used authentication measure these days is biometrics (“something you are”). Using biometrics in its various forms (voice, fingerprint, retina scan, behavioral biometrics, etc.) poses the following challenges:

  • Registration: To register a biometric, one must make sure the registration process is done in a clean and safe environment. While this is true for any form of password, it is much more important for biometrics. A password can be re-credentialed, while a fingerprint cannot.
  • Accuracy: This is the question of how accurate you want your biometric to be. If you require very high accuracy, be prepared to deal with many angry users. A fingerprint that requires the same exact position of your finger every time (ask iPhone 5s users) or a voice biometric ruined due to a slight change in voice (phone reception, the flu, background noises) can be very frustrating for an end user.
  • Database Security: Biometrics cannot be re-credentialed. If you plan on collecting such strong authentication measures from your users, you have to make sure this data is properly secured. If it were ever compromised, the backlash would be unprecedented.
  • Forgery: Last but not least, if you can’t make it, fake it. Using high-resolution scans and pictures, voice sampling and mouse movement capturing, attackers can forge a biometric.

It remains to be seen how financial institutions will implement various forms of biometrics and how the cybercrime gangs will react when biometric adoption rates grow. For every evolution in authentication, the cybercriminals have determined a countermeasure to continue their fraud operations.

So Where Is Authentication Heading?

New authentication solutions are taking a much wider view and approach to the problem than 2FA. We are moving away from relying on passwords and secrets that the user holds to the correlation of multiple events and elements to decisively understand whether the session, device and user are who they claim to be.

While passwords will not die anytime soon (they aren’t completely worthless, after all), security experts today correlate multiple fraud indicators to better understand an incoming authentication event. These indicators include multiple data elements and decisions such as the following:

  • Is the authenticating device infected with malware?
  • Has the authenticating user been identified as a phishing victim?
  • Is the session actually controlled by a remote computer?
  • Have any of the user’s devices been compromised?
  • Is there evidence of typing anomalies during the authentication process?

By moving away from adding another form of “something you know/have/are” and checking hundreds of other indicators, both the user and the security officer experience less friction and have less of a need for manual authentication and case investigation. In my next article, I will analyze two different approaches for such invisible authentication.

More from Fraud Protection

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

What to do about the rise of financial fraud

6 min read - As our lives become increasingly digital, threat actors gain even more avenues of attack. With the average person spending about 400 minutes online, many scammers enjoy a heyday. Old impersonation scams continue to deceive people every day, as con artists and hackers are armed with advanced technologies and sophisticated social engineering tactics. According to the Federal Trade Commission, financial fraud increased by over 30% from 2021 to 2022, with total losses surpassing $8.8 billion. This ever-evolving threat will continue to…