Last month at Lumin Digital, we rolled out Google Authenticator support to all our client financial institutions, for no additional charge.
This feature, which allows users to scan a barcode with their mobile phone and use a rotating, time-based one-time passcode (TOTP) as a replacement for an email or SMS message, helps protect users of digital banking. Increasingly, fraudsters use Caller ID spoofing to pose as credit union representatives and to ‘socially engineer’ 2FA codes from vulnerable users. The ruse can be compelling when a caller can recite your personal information back to you, perhaps bolstered with details about recently declined transactions that are accurate. Finally, fraudsters will ask not for your password, but simply for you to prove your identity to them by reading back a code they send to your device.
Behind the scenes, this fraudster may already have your password from another breach or is merely using a vulnerable “forgot password” feature to obtain it with the help of a 2FA code sent through an email or text message. What is a consumer supposed to do? Institutions often train callers to do precisely that: to read back a passcode to verify to the agent they are speaking with an authorized user as a sign of ‘mutual trust.’
In some fraud schemes, user interaction is not even necessary. All a hacker has to do is compromise an email account, often reusing credentials exposed in unrelated password breaches to grab a victim’s Gmail session. By reviewing the message archive, fraudsters can discern where you have banking relationships, set up a filter to squelch email security alerts, then execute a forgot password request, capturing the 2FA code right out of the victim’s inbox.
TOTP removes the out-of-band delivery of passcodes. Without access to the device holding the “seed” scanned one time from a QR barcode, we have made it that much more difficult for threat actors to steal credentials. TOTP can also be more convenient since users don’t have to wait for a code. Who knows when we’ll all be flying again, but in situations where you can only have a single device online, it generates codes with no network connection, which is excellent for business travel.
Of course, a well-designed TOTP 2FA system must be careful not to allow fraudsters to exploit weaker email or SMS 2FA methods if the user has taken the opportunity to enable this more robust method with Google Authenticator. For this reason, we educate and encourage digital banking users to set up this factor, and remove the ‘weak links’ by taking email and SMS off the table for future logins or password reset requests.
While many online services from Gmail to LinkedIn support this, online banking offerings have been slow to deliver this incremental improvement. If institutions provided anything outside of email and SMS for 2FA, it has generally been expensive hardware-based tokens using a technology from the ’90s. While hard tokens may make sense for high-risk entities, they are not very accessible or affordable to consumers at large.
Security improvements must be delivered incrementally and continuously for credit union members. Attacks on consumers and defensive countermeasures is a ‘cat and mouse’ game that evolves but never ends. For this reason, it is critical for financial services providers to plan security features as part of an overall vision, budget them within long-term strategic roadmaps, and regularly deliver them to raise the bar to protect people. It’s also important to remember that there are no silver bullets when it comes to authentication: Google Authenticator isn’t right for all users, such as those who lack a smartphone or password manager. But, it’s a worthwhile improvement to deliver to those who can and will adopt it.
I’m proud to work with a great team at Lumin Digital that partners across the organization to deliver meaningful change to enrich the lives of credit union members, and I look forward to sharing more security features and improvements soon!
______________
Sean McElroy, CISSP, CISM
Lumin Digital – Chief Information Security Officer
