Connect with us

Hi, what are you looking for?


Identity & Access

Preventing Account Creation Fraud with Two-Factor Authentication

Recent reports of fraudulent account creation by employees at large banks to generate a boost in fees have raised many questions. How can such practices grow to such an immense scale?

Recent reports of fraudulent account creation by employees at large banks to generate a boost in fees have raised many questions. How can such practices grow to such an immense scale? Wells Fargo has admitted to firing 5,300 employees for opening over 1.5 million unauthorized bank and credit card accounts. With allegations that the practice is more widespread, there is a real need to consider preventative measures.

What regulatory policies will need to change in response? While congressional hearings, regulatory penalties, lawsuits and customer churn will undoubtedly discourage future near-term fraud, perhaps the better question is, what can be done to put control back into the hands of consumers more permanently? 

How can an employee create fake accounts?

To address the question of consumer control, we must first consider how bank employees create fake accounts. The Consumer Financial Protection Bureau (CFPB) has stated that in one case, employees went so far as to create phony PIN numbers and fake email addresses to enroll customers in online banking services. Those employees then transferred funds from an existing account into the new account without the customer’s knowledge or permission, resulting in charges and penalties for the account holder.

Two Factor Authentication

How much access should employees have?

This raises the question of the level of access that should be afforded to employees. Certainly there are legitimate reasons for employees to interact with customer accounts, but for an activity such as opening an account or transferring an entire balance, shouldn’t there be a higher bar for access? 

Perhaps regulators need to consider mandating implementation of two-factor authentication (2FA) for significant account management activities. Only the account owner (or legal guardian/trustee) should be making these kind of transactions, which aren’t an everyday occurrence. The level of risk justifies the effort required for an extra authentication step.

Advertisement. Scroll to continue reading.

How can 2FA be implemented for the masses in a cost-effective manner?

2FA costs skyrocket when extra hardware such as hard tokens or biometric scanners are involved. In response to this challenge, the ubiquity of mobile devices certainly positions them as a logical platform for granting 2FA. But, the recent National Institute of Standards and Technology (NIST) recommendation against the use of SMS tokens for 2FA means that older non-smart phones aren’t preferable for this purpose, which excludes a significant portion of the population using older technology. Additionally, the authentication method in use should be usable across multiple mediums – whether banking online, on the phone or in person.

Perhaps the answer is in voice recognition. Stating a user-generated phrase into a computer microphone (at the branch or online), or over the phone, is something that most people are capable of and satisfies both something you know (the passphrase) and something you are (the voice). Taking the next step to record and match a customer’s voice command as a means to authenticate the user’s account activities is the next logical progression. Protecting the recorded phrases with 2FA is necessary as well with this use case.

2FA is becoming more mainstream for businesses; however, businesses need to consider how 2FA should be implemented to maintain both external and internal control. According to a recent Ponemon Institute Research Report, “75 percent of respondents say a single-factor authentication approach, including username and password, can no longer effectively prevent unauthorized access to information resources.” It’s a shame that protection needs to be from both external attackers and employees alike, but it is in the best interest of the financial industry to maintain trust with consumers.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.