For every online security solution, the scammers are one step ahead of us.
Take two-factor authentication (2FA), for example. Two-step authentication, also known as two-step verification, a subset of multifactor authentication, was meant to eliminate a lot of data hacks.
It was designed to add another layer of security to keep your data safe, but of course scammers are finding ways around it.
So, what is multifactor authentication and how are scammers exploiting it?
When you sign into your accounts you usually enter a username and password. This was enough in the early days of the internet as it was little more than a communication tool.
Now, however, we conduct almost all our lives online and the information we use is valuable. Banking, medical records, shopping, you name it, it probably has value to a scammer.
Passwords making it easy
So, scammers got busy working out how to use passwords and usernames to their advantage.
Unfortunately, we made it easy for them because people often use simple passwords, use the same password repeatedly, or use easy-to-guess passwords such as their birthdate.
Perhaps the most famous case of single authentication failure in Australia is the Medibank data breach in 2022.
In that instance, hackers got into the system because Medibank did not require its workers to use multifactor authentication. The fallout was staggering. An estimated 9.7 million current and former customers’ details were published on the dark web. It’s believed the hacker was in the system for nearly two months.
So, to discourage this sort of hacking, the solution was to initiate two-factor authentication. So instead of just your username and password, you might have to use a code generated by the website or facial recognition or even a second PIN on another device.
This was designed to make it almost impossible for the scammers. Unfortunately, they got around the system.
But how? There are a few methods, but the usual tactic is that scammers will use one set of your personal information to discover or bypass your 2FA information and then access your accounts.
Sneaky first step
Quite often the first step isn’t even noticeable.
Just as the first COVID lockdown was beginning in Sydney, Compare Club head of research Kate Browne noticed a message on her phone welcoming her to Telstra – she thought it was odd as she was with Optus – but assumed it was a scam.
She didn’t think much of it until a few days later her phone stopped working completely, and straight after that she was locked out of her email too. Unable to make a phone call or email meant she struggled to contact her telco until she was able to use her partner’s phone when he got home.
She logged into her bank account online to check it hadn’t been compromised too and saw to her horror that more than $8000 had been withdrawn and a further $2000 had been spent on household appliances at Dyson.
By the time she was able to contact her bank, they confirmed she had been the victim of identity fraud – and the weakest link in the security chain? Two-factor identification.
“When I spoke to id-care at ASIC, they told me this was becoming more and more common. Once a scammer has enough details about you to be able to impersonate you via your telco provider, scammers can then request porting the phone number to another carrier,” Ms Browne said.
“Once that is done, the scammer then has control of your phone number and can then access bank accounts and more by being able to confirm anything that is sent to the phone.”
“On top of that – not having a phone that works can often slow victims down in terms of being able to take action because how many people have access to a landline these days?”
So what can you do?
Firstly, never reveal an unasked-for verification code to any other person. And anyone asking for an authentication code out of the blue is trying to hack into your accounts.
You can also use authenticator apps such as Google or Microsoft Authenticator where possible, instead of text message codes. Authenticator apps generate random one-time passwords and are more secure than text messages. The codes stay within the app instead of being sent by a telco, making them less likely to be intercepted.
Use difficult passwords. If you are having trouble thinking something up, use a password generator and a password manager to remember them. Never reuse passwords or usernames.
While biometrics are not impossible to replicate, they do make it hard for scammers. An example is fingerprint access to your device or mobile apps.
You could try a security key. A security key is a small physical token without a display screen, which can be plugged into your device via a USB port, or kept nearby for wireless versions. It prompts the user to activate authentication processes, and it is a more secure form of 2FA.
Have you been the victim of a scam? Why not share your experience in the comments section below?
