Alexander Pope wrote, “To err is human; to forgive, divine.” For cybersecurity professionals, forgiving (and compensating for) human error by incorporating additional backup measures is critical to preventing fraud.
The recent spate of man-in-the-middle attacks on customers of peer-to-peer (P2P) payment platforms is a case in point.
A man-in-the-middle attack occurs when “attackers interrupt an existing conversation or data transfer. After inserting themselves in the ‘middle’ of the transfer, the attackers pretend to be both legitimate participants. This enables an attacker to intercept information and data from either party while also sending malicious links or other information to both legitimate participants in a way that might not be detected until it is too late.” Man-in-the-middle attacks are especially disorienting because victims believe they are speaking to a legitimate business but are actually handing over the keys to their account to a fraudster.
In the P2P payments context, the victim receives an SMS from an unknown number sent by a fraudster claiming to be from the fraud department of a well-known P2P company. The text message warns of a recent suspicious transaction. Worried and confused, the victim responds to the message and explains that they did not authorize the (fictitious) charge in question. The fraudster, taking advantage of the victim’s urgency, asks the victim to verify their username to “clear the charges.” Without thinking, the victim shares their username– after all, a username isn’t confidential. The fraudster then goes to the P2P website or app, enters the victim’s username, and requests a password reset. Moments later, the victim receives a one-time password (OTP) and dutifully sends it to the fraudster, ostensibly confirming their identity and clearing the charges. Unfortunately, it’s all a scam. In minutes, the fraudster gained access to the victim’s account with the victim’s username and OTP, reset the victim’s password, and stole their money.
For many cybersecurity professionals, it’s difficult to imagine how so many people can be fooled via social engineering to hand over a one-time password (OTP) to a stranger via SMS. The reality, however, is that many consumers are unfamiliar with and overwhelmed by the ever-increasing security measures placed on our digital lives, and, let’s face it, everybody makes mistakes.
To protect customers from social engineering and man-in-the-middle fraud, companies need to move beyond the first generation of OTPs and fortify their multi-factor authentication (MFA) flow.
Here are four steps you can take today to fortify your company’s multi-factor authentication flow:
- Next-Generation MFA: Use phone-centric identity technology such as MobileAuth™ to confirm that activity is coming from an expected device. This will prevent fraudsters from initiating high-risk transactions such as password resets from phone numbers not associated with the legitimate customer.
- Secure Links: A happy medium between active (SMS delivery with user action required) and passive (checking against phone-centric identity signals) security methods, InstantLink™ authenticates identities in real time when users click the link, creating a more secure and frictionless alternative to the SMS OTP. Customers just have to click a link rather than enter a string of digits in an OTP.
- Behavioral Biometrics: Human error (e.g., using a common password, sharing passwords across multiple accounts, falling for social engineering schemes) is a leading cause of security breaches. With behavioral biometrics, however, the very traits that make a human unique (how we walk, hold our phone, type messages) are used to make security flows more secure. In essence, behavioral biometrics allows consumers to verify their identity online just by being themselves in the real world.
- Trust Indicator: Our Trust Score™ uses behavioral and phone intelligence signals to measure a phone number’s fraud risk and identity confidence in real-time. Scaled from 0 to 1000 (with a score of less than 300 classified as low-trust, high-risk), the Trust Score model can be implemented to secure use cases across account enrollment, login, high-risk events, and customer communications.
Although it would be ideal if human error could be removed from the security equation, the truth is that consumers will continue to fall prey to social engineering, including man-in-the-middle schemes, if companies do not step up to provide additional layers of security. Fortunately, companies today have access to the technology they need to protect their business and their consumers.
If you’re interested in preventing man-in-the-middle attacks and other forms of fraud while accelerating onboarding and boosting revenue, contact us using the form below.
Keep reading
Developers know identity verification is an essential element of effective digital onboarding and the customer lifecycle. Choosing the right one can feel like navigating a maze of features and complexity.
In an age where our smartphones have become almost like extensions of ourselves, the identity assurance achieved through smartphone possession and data is a natural evolution.
Rodger Desai, CEO of Prove, a leading identity verification solution provider, offers a unique perspective on the rising fraud in the gig economy, advocating for robust digital identity verification as a key defense mechanism.
