If you won’t listen to me, perhaps you will listen to the Cyber Crimes unit of the Federal Bureau of Investigation. Here is a Private Industry Notification they posted last month, ‘Cyber Criminals Use Social Engineering and Technical Attacks to Circumvent Multi-Factor Authentication.’
Aha! Just like I said. But for those that don’t read the TeleBlog as often as they should, let’s recap what ‘social engineering’ is. Social engineering occurs when a fraudster uses dubious methods to gain your CONfidence, (con-man) flexing his charm to gain access to something that he shouldn’t. An example would be Leonardo DiCaprio becoming licensed to practice medicine in Catch Me If You Can by uttering the phrase ‘Do you concur?’
Sadly, cons happen in real life too and the SIM Swap is one of the most devastating. But instead of tricking a state bar association, an airline, Tom Hanks or a medical board, the perpetrator has to defraud a customer service representative for a cell phone company (just like I did when I traded in my last water-damaged iPhone for an upgrade.*) A charismatic fraudster with limited information about you and a great smile can typically convince a novice carrier employee to port your number over to their phone. Once they have this, triggering a 2FA cycle can give them the keys to the castle, or at least all of your accounts.
Beyond social engineering; man in the middle schemes, session hijacking and transparent proxies are a few of the ways to get around old school multi-factor authentication. There are even tools such as Muraena and NecroBrowser that can be used to orchestrate a complicated account takeover.
This isn’t to say that 2FA isn’t effective. On the contrary, Google (heard of ‘em?) claims multi-factor authentication can protect against 99.9% of hacks (100% of bot attacks and 99% of bulk phishing attacks) however, a small amount of targeted hacks CAN get through if you aren’t careful.
BIG DATA: Not always a bad thing
By layering data intelligence on top of 2FA these gaps can be closed. Why do the Yankees always win? Because people can’t stop looking at the pin stripes, telco data washes those stripes away and prevents all sorts of fraud. Telco data behind a phone number can tell us who a person is, what kind of phone number they use, are they likely committing fraud? Is the person trying to register on your platform Bob, the married architect from Philadelphia or notorious con-man Frank Abignale Jr?
TeleSign has proven itself to be the industry leader in not only SIM Swap but all account takeover attacks. By using machine learning algorithms, a global data consortium and data science, TeleSign has built tools that can give you this information with extreme certainty. An example around SIM Swap would be our ability to return the last time a phone number was ported. This way if you are a bank and someone attempts to empty an account of several million dollars, you can rely on data insights in addition to classic 2FA to stop them. The fraudster’s plot is foiled, then you recruit him to join you at the FBI in the bank fraud division and everyone lives happily ever after.
Oy. I need to stop watching so many movies.
The lesson here is that both myself AND the FBI would like you to turn on 2FA. It’s stops 99.9% of attacks. Now if you’re interested in stopping that last .01% give TeleSign a call and we’ll show you the way.