Ai Editorial: 2FA improves security, but is it enough for your FFP?

First Published on 26th March, 2019

Ai Editorial: Most enterprises rely on static verification measures to shield loyalty accounts or make sure there is no unauthorized FFP access. But are these enough? Not really, writes Ai’s Ritesh Gupta  


Specialists point out that initiatives such as two-factor authentication (2FA) and multi-factor authentication (MFA) can be bypassed by fraudsters (e.g. via SIM hacks or SIM swaps) and result in needless friction for customers. More must be done in terms of ensuring user accounts are secure from fraud. It is clear that many merchants face a tussle when it comes to balancing the need for security and optimizing UX, which is tough to attain if they tend to rely on 2FA/ MFA.


There are issues, be it for lack of stringent security or increasing friction in the user experience.

It is pointed out that 2FA is not completely secure. Most organizations rely on 2FA for account protection, which can be overcome by fraudsters with deceptive tactics, such as SMS phishing to trick users into giving up their 2FA reset codes; it is also not uncommon for fraudsters to intercept the confirmation SMS messages, proving that 2FA is not sufficient to prevent fraudulent account takeovers. For many other enterprises, the focus on improving user experience takes priority, and therefore no measures for account protection has been taken, leaving their accounts vulnerable to fraud attacks.

Fraudsters don’t find it tough to bypass the feeble implementations, either by intercepting codes or exploiting account-recovery systems. There have been reports about illegitimately amending a mobile device’s accessibility settings, activating a mobile operating system’s overlay accessibility feature, and eventually imitating a user’s clicks to access the legitimate app and committing a fraudulent act like using miles or transferring money from an app. An example of the same is an Android Trojan, being termed as a malware that blends the proficiency of a remotely controlled banking Trojan with a new misuse of Android accessibility services. It is used to target users of the official PayPal app! (The report also explains how PayPal’s 2FA was breached).

Another aspect of 2FA being unable to eradicate the risk completely is owing to the problem of phishing attacks.

Earlier this year, a penetration testing tool challenged the efficacy of 2FA. It emerged that security researcher Piotr Duszyński managed to automate phishing attacks and blow through login operations for accounts protected by 2FA. On his blog, Duszyński referred to the reverse proxy “Modlishka” tool. When users enter their respective passwords, they are recorded in the Modlishka backend panel, while the reverse proxy also prompts users for 2FA tokens when users have configured their accounts to request one.

If fraudsters/ hackers are alert and working to collect these 2FA tokens in real-time, they can use them to log into users’ accounts and set up new “valid” sessions.

Other than feeble authentication, fraud prevention specialist CashShield referred to the limited scope of protection via 2FA. For example, a fraudster who has bought a frequent flyer account from the dark web can bypass the 2FA and proceed to redeem the miles in the account, since there is no security measure implemented at the point of redemption.

Overcoming these issues

Users need to be made aware of unrequested authentication scenarios. Considering the fact in case of 2FA a user is only prompted for authentication when a request is made by them. So users need to reject any initiative related to authentication when they didn’t make any request for the same.Receiving any email that refers to a phone call or push notification for confirmation of one’s identity, one needs to make sure such emails aren’t responded to.

Also when it comes to the user experience, rather than using a blanket rule that forces every user to login with 2FA, real-time surveillance can be used to assess logins in the background, and only logins with borderline risks expected to go through 2FA. This would greatly improve the user experience on the whole, while ensuring that security for accounts is not taken for granted.

Also, machine learning technologies are emerging as an astute option to secure accounts. The efficacy of machine learning, especially real-time machine learning, can be explored for account protection. Rely on both supervised and unsupervised machine learning to comprehend both the historical patterns of use, as well as identify anomalies. According to CashShield, behavioral analytics with pattern recognition will be able to accurately filter fraudsters away from genuine users.

Hear from senior executives about login authentication and account takeover at the upcoming ATPS (21st Century Customer Experience for Payments & Fraud - Airline & Travel Payments Summit) to be held in London (Brighton), UK  (7-9 May, 2019).


For more information, click here

Follow Ai on Twitter: @Ai_Connects_Us