Staying Ahead Of The Frauderati Is A Community Effort

by Scott Rice6/5/2013 9:38:00 AM


Over the last few weeks Twitter and Apple have been promoting the importance of two factor authentication.    Yes, multi-factor authentication is important to reduce fraud and account theft.  But a single solution like 2-factor authentication, isn't enough because for every simple solution there is a simple workaround the ever-adaptive, ever-creative frauderati will adopt.

One of the most common methods for that second factor of authentication is a pin number you enter on your mobile device or punch into your phone's key-pad. But we have to remember that the pin is sent over the phone system.  So just imagine that the same group who figured out how to capture your password (perhaps because you used the same one for every account ID you possess) could redirect those pin numbers used as a second factor from your phone to theirs.   Scary, huh?   Yep, and it's already being done.

You've probably heard of call-forwarding.   Calls aren't the only things that can be forwarded; so can SMS messages.   In fact, just about any message routed through the phone system can be re-routed.   The phone system was designed for this as a convenience.    But it's a convenience which can be used against subscribers.    And if you think it's hard to convince your bank or other account holder that someone else used your account to transfer money or take out cash or setup an account and order expensive items, try convincing them that the second factor authentication pin they sent out must have been redirected to someone else.    The fact is you'll probably never know how it happened and it's not likely they could detect it even if they believed you unless they knew where to look.   When the bank has to choose between trusting their security department's spanking new 2-factor authentication system and you, you and I both know who is likely going to lose.

That's what I mean about the problem of relying on a simple solution.  It's not that this particular solution, a relatively simple and important one to implement, isn't a good thing.   This might stop a major proportion of fraud attempts, but it's not foolproof.  Telecom network specialists around the world are working on solutions but at this point the solution costs may outweigh the risks.  But we need to keep trying.  Working with operator carriers and telecom network providers is an important path to success.  Some of these guys are brilliant and intimately aware of the nuances and capabilities of the incredibly complex global communications systems we have in place today.  But there is also a role for those who can translate between network, security and protocol experts and the business world that, frankly, just wants to let their customers safely setup an account and order a sweater for their father, or check their account balance, or reserve a hotel for their family vacation, without risking their savings or their identity.

Those of us in the fraud-prevention community need to learn to communicate with each other and not think of our particular solution as the most important leaf on the tree.  A tree isn't valuable or beautiful because of one leaf, but because of the interconnectedness of all the leaves; not because there is one, simple leaf, but because there are many, each contributing to the health and life of the whole, interconnected and complex system.

Comments are closed

Month List