Fraudsters are defeating MFA challenges. Here’s how to stop them.
By Chris Gerda, Risk and Fraud Prevention Officer at Bottomline Technologies
Multi-factor authentication (MFA) has been critical, if not the best protection, for payment fraud prevention. Fraudsters have huge toolkits at their disposal designed to acquire passwords or glean personal information that can help defeat challenges. Still, MFA puts a critical piece of identity verification outside a bad actor’s reach to thwart attempts.?
No single defense is perfect, and fraudsters have been chipping away at this line of defense for a while. In recent months, a pair of threats to MFA have emerged that deserve your attention, especially because one of them has become such a severe problem that the?FBI issued a warning ?about it.
At Paymode-X, the accounts payable automation company I work for, we deploy advanced protections to prevent precisely these kinds of sophisticated account takeover frauds; we see them often, and it’s a primary reason our B2B payments customers utilize Paymode-X. If you don’t, or you’re not working with a company like ours that can protect your sensitive bank account information from unauthorized updates or payment initiations to thwart business payment fraud, you will want to know how to stop these two methods today.?
Let’s look at two of the strategies fraudsters use to hack your accounts and emails and the solutions.?
SIM swap
We're all familiar with obtaining a text code to our phone when logging into one of our accounts. Fraudsters know this too, so they will go to the length of a SIM swap. Which is essentially your phone number regardless of the device it’s in. They will then use social engineering by compromising your mobile carrier login or even have insider help in assigning your phone number to a new SIM card, which happens to be in the hands of a fraudster. Regardless of how they ultimately get the job done, once the number is switched, the criminal has a bonanza of personal information, including calls, texts, contacts, and other information that can help them defeat MFA challenges.
Once the swap has been completed, fraudsters simply plug your phone number when they get the “forgot password” prompt, say, your bank account, receive the verification text and then make off with your money. By the time you’re wise to the scheme and contact your mobile carrier to get the number switched back, you or your company may already be out a significant sum.
Reverse proxy, or the scourge of fake logins
Akin to the SIM swap scheme rise, in part due to the percentage of overall users utilizing MFA to stop fraud, fraudsters are also able to steal your MFA codes by using a fake website for real banks and online services. As BleepingComputer outlines , these reverse proxy solutions - I prefer to call them fake website logins, which is really what they are because it imparts urgency but also directly calls it what it is.?From these fake websites where fraudsters have redirected unsuspecting victims from an email to what looks like a legitimate bank login site. Once you put in your credentials, however, the fraudster immediately uses the information on these fake login sites to log into your existing bank account on the real website.?Since they are on a new device, theirs, they will need an MFA code; it just so happens you’ll need to do the same when concurrently logging into the fake website.?You will get the code from your actual bank and input it, allowing them to see it and use it on the spot to access your real account.?Furthermore, after you put in the code on the fake website, they will redirect you to the actual company website, so you never have a chance to realize you have been duped and think that your login didn’t happen to work.??
The end result is the same as it is for the SIM swap scheme or really any other fraud scheme: The bad guy is in your bank account and happily transferring your hard-earned money into their accounts. The sophistication of these sites and how convincing they appear can make them hard to avoid.
How to prevent both
You can take three critical steps to defeat these kinds of fraud. The first is to protect your SIM card with an extra layer of security by adding a PIN code - because that’s information a fraudster cannot access when trying to execute a SIM swap and will stymie their efforts to get the number transferred to their device. In fact, I’d recommend that everyone protect their SIM card with a PIN, which all cell providers offer, because of how simple and powerful that extra layer of security can be.
For fake logins, the advice is timeless: Don’t click on a link in an email unless you’re confident you know who it’s from and why it’s being sent. Suppose you’re being taken from an email directly to your bank’s login page. In that case, it’s likely best to close out that window entirely, navigate to your bank’s website, and log in to make sure you are not being duped into surrendering your credentials and information needed to defeat MFA challenges to a fraudster. Being extra cautious with your emails and logins may take a little extra time, but it can save you from significant losses.
The third option is essential, especially for high-value B2B payments due to the damaging effects of Business Email Account Compromise (BEC) Fraud and it involves working with a solution that can protect your bank account information and payments through multi-layered approaches that build on MFA with additional authentical layers to create something insurmountable for fraudsters. Suppose you’ve made it through the last couple of years of remote work and increasingly digital payment methods without upping your level of sophistication and protection. In that case, you’re fortunate, but it’s time to consider looking into AP automation providers with advanced defenses capable of securing digital payments.
These schemes are a reminder that you can never get too comfortable just because MFA challenges protect your accounts. Whether you’re using additional layers of protection on your phone, working with a partner who can protect your critical payments and bank account information, or both, 2022 should be a year of extra vigilance. The cost of ignoring these emerging threats is simply too high to do otherwise.
Visit our blog for more articles on the latest fraud and financial crimes, regulation and compliance, financial technology, treasury and cash management, and more. www.bottomlinetechnologies.com/thought-leadership
Problem-solving and improving processes since 1990
2 年Interesting article. Although I have some non-financial logons that rely on SMS authentication, I would not get involved with any bank/finance company that doesn't have proper MFA (via an app) in place for the exact reason of ruling out SIM swap. I'm surprised that such companies still exist - why isn't the banking industry regulating against an exploit that's been known for so long? Phishing is not a new phenomenon either, and in the past has been easy to see through, although it is getting more sophisticated. I'd recommend a 'secret' email address to be shared only with your bank and then used by them exclusively - you provide it once and never provide it again (under any circumstances, because the person who is asking is not the bank!). Your normal email address is probably all over the place and that's where the phishing emails will therefore go, instantly marking it as non-genuine for the avoidance of all doubt. Clearly, the secret email address is not immune to insider fraud, but effective otherwise. It's important to ensure that relevant staff are trained to understand and recognise the various exploits. Define processes for everything so that anything falling outside the norm gets careful review before action.