Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Preventing Account Creation Fraud with Two-Factor Authentication

Recent reports of fraudulent account creation by employees at large banks to generate a boost in fees have raised many questions. How can such practices grow to such an immense scale?

Recent reports of fraudulent account creation by employees at large banks to generate a boost in fees have raised many questions. How can such practices grow to such an immense scale? Wells Fargo has admitted to firing 5,300 employees for opening over 1.5 million unauthorized bank and credit card accounts. With allegations that the practice is more widespread, there is a real need to consider preventative measures.

What regulatory policies will need to change in response? While congressional hearings, regulatory penalties, lawsuits and customer churn will undoubtedly discourage future near-term fraud, perhaps the better question is, what can be done to put control back into the hands of consumers more permanently? 

How can an employee create fake accounts?

To address the question of consumer control, we must first consider how bank employees create fake accounts. The Consumer Financial Protection Bureau (CFPB) has stated that in one case, employees went so far as to create phony PIN numbers and fake email addresses to enroll customers in online banking services. Those employees then transferred funds from an existing account into the new account without the customer’s knowledge or permission, resulting in charges and penalties for the account holder.

Two Factor Authentication

How much access should employees have?

This raises the question of the level of access that should be afforded to employees. Certainly there are legitimate reasons for employees to interact with customer accounts, but for an activity such as opening an account or transferring an entire balance, shouldn’t there be a higher bar for access? 

Perhaps regulators need to consider mandating implementation of two-factor authentication (2FA) for significant account management activities. Only the account owner (or legal guardian/trustee) should be making these kind of transactions, which aren’t an everyday occurrence. The level of risk justifies the effort required for an extra authentication step.

How can 2FA be implemented for the masses in a cost-effective manner?

Advertisement. Scroll to continue reading.

2FA costs skyrocket when extra hardware such as hard tokens or biometric scanners are involved. In response to this challenge, the ubiquity of mobile devices certainly positions them as a logical platform for granting 2FA. But, the recent National Institute of Standards and Technology (NIST) recommendation against the use of SMS tokens for 2FA means that older non-smart phones aren’t preferable for this purpose, which excludes a significant portion of the population using older technology. Additionally, the authentication method in use should be usable across multiple mediums – whether banking online, on the phone or in person.

Perhaps the answer is in voice recognition. Stating a user-generated phrase into a computer microphone (at the branch or online), or over the phone, is something that most people are capable of and satisfies both something you know (the passphrase) and something you are (the voice). Taking the next step to record and match a customer’s voice command as a means to authenticate the user’s account activities is the next logical progression. Protecting the recorded phrases with 2FA is necessary as well with this use case.

2FA is becoming more mainstream for businesses; however, businesses need to consider how 2FA should be implemented to maintain both external and internal control. According to a recent Ponemon Institute Research Report, “75 percent of respondents say a single-factor authentication approach, including username and password, can no longer effectively prevent unauthorized access to information resources.” It’s a shame that protection needs to be from both external attackers and employees alike, but it is in the best interest of the financial industry to maintain trust with consumers.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...