The latest phishing attacks have been successful because they are getting more sophisticated and targeted. For example, in a recent study, it was found that phishing attacks have increased by 50% in the last year alone. The rise of social media has made it easier for hackers to find out more about their targets and tailor their messages accordingly, which has led to an increase in the success rate of these attacks.
Phishing is the act of sending an email or text message that appears to be from a trusted source with the purpose of obtaining personal information such as passwords, credit card numbers, or other sensitive data. Using this information, thieves commit fraud and identity theft against their victims. Phishing attacks are on the rise, so companies need to be vigilant in protecting their customers from these threats. To do this, businesses have to prepare for the future while protecting themselves today. Particularly the financial services industry has been targeted due to its proximity to money and users’ sensitive information. Traditionally, two-factor or multi-factor authentication methods are used (2FA/MFA), however, these solutions come with significant caveats. The best solution to enhance the protection against these kinds of cyberattacks is to implement passwordless authentication like FIDO2.
The Financial Services Industry Remains A Key Target For Phishing
Financial services are one of the key targets of phishing attacks, since attackers claim access to information that literally pays off. The industry receives the highest volume of malicious phishing queries, 60% more than the next-closest industry (higher education). In general, more information is stolen in the financial services industry than in any other industry. Below is a chart illustrating results from a study made by CISCO on how phishing is the leading attack in financial services, accounting for 46 percent of malicious attacks followed by trojan viruses (31%) and ransomware (5%).
2FA Makes It Harder For Phishing, But It Is Not Bulletproof
Traditionally, the benefit of using 2FA/MFA against phishing attacks is that the attacker has usually little use of the stolen usernames and passwords. As the authentication prompts for a second or multiple factor directly from the user’s device, such as Push, PIN, or biometric, attackers are blocked from gaining further access.
2FA or MFA involves combining at least two factors to gain access to an account, complete a transaction, or take other actions involving sensitive information. The factors are described as something you know (knowledge factor), something you are (inherence factor), and something you have (possession factor).
|SOMETHING THE USER KNOWS like a username (knowledge)||SOMETHING THE USER IS like fingerprint or face recognition (inherence)||SOMETHING THE USER HAS like a mobile phone (possession)|
The first step of 2FA is typically entering the login name and password (knowledge factor). The second step usually involves the user receiving a code through their phone or an app on their phone, which they need to enter to login (possession factor). The second step can also be completed by providing a personal identification number (PIN) or answering questions only an authorized user would know.
From Then To Now: 2FA Adoption Has Recently Accelerated
Since the late 1980s, there have been 2FA and MFA solutions available. However, only recently have companies become more eager to adopt 2FA or MFA methods for authentication. The transition is a result of increasing regulations (read about PSD2 and SCA regulations here), but also because of the global transition to a digital world. This incentivizes phishing threats to be more common and costly. Additionally, services such as Microsoft, Google, Facebook, and Twitter, now offer 2FA or MFA solutions for their users, accelerating the trend towards adopting a more secure internet experience. Recognizing the importance of enhanced security and better user experience, these companies are encouraging the shift away from the conventional login name and password.
2FA/MFA Cannot Keep Up With The Threat Of Phishing Attacks
It is important to note that 2FA can no longer be guaranteed against phishing attacks. There are ways for hackers to get around the system and access an account. The first way is to bypass 2FA protection by guessing the password, or using a brute force attack (where using machine learning, all possible password combinations are tried until the right combination is found). The second way is more severe, by using social engineering. A hacker poses as a customer service representative and asks for the user’s 2FA code, or they call the bank and pretend to be the user asking for their online banking details. Read about how phishing attacks leverage human social factors in our article here.
Consequently, since a phishing attack is also a social engineering attack, 2FA/MFA does not address an important vulnerability in the authentication chain: the user. For example, by gaining access to both the username, password and a verification code, attackers can bypass 2FA/MFA. Or, if the victims are tricked to voluntarily provide information details, then no 2FA/MFA can stop the attackers.
The 2FA/MFA methods can be bypassed by attacks on both authentication factors:
- First authentication factor: Passwords/usernames - these can be stolen or lost.
- Second authentication factors: One-time emails, texts or tokens - these can also be intercepted or coerced from end-users. Device-based biometrics may increase security, but they do not prove a user’s identity, making them unviable for companies to meet regulation standards such as PSD2 and SCA - read how passwordless solutions can meet PSD2/SCA requirements here.
If We Want Bulletproof, Then We Need FIDO2
The FIDO Alliance is a global non-profit organization that has been working to make the internet more secure since 2012. The alliance was founded by Google, Microsoft, PayPal, Lenovo, and ARM Holdings. FIDO (Fast Identity Online) has been the answer for those who want to manage passwords with greater security and without the need for any password changes. It is a new acronym that represents a federation of standards that are designed to achieve key goals of higher security through eliminating passwords and phishing attacks while still keeping convenience at its core. The new standard for strong authentication replaces passwords with stronger hardware-based keys or biometrics such as fingerprints or facial recognition.
The latest standard includes the FIDO2 that is designed to provide a more secure authentication process than passwords alone can provide. The FIDO2 tokens can either be embedded directly on users’ phones or laptops, or used as an external hardware token such as a USB, Bluetooth, or NFC. As long as the user’s device is close to the token, it will authenticate. Since the attacker cannot touch the FIDO2 key, it is impossible for them to hack email or social media accounts, or make transactions for applications or services that implement FIDO2 security features. At the same time FIDO2 completely eliminates the need for remembering complicated passwords. Read more about the technical aspects of FIDO in our article here.
Why Choose FIDO2 Now To Fight Phishing And Prepare For Authentication In The Future
One of the most important ways security and risk managers can combat phishing, according to Gartner, is to shift investments to support broader use of FIDO2. Besides addressing fraud detection and authentication pain points, enterprises minimize the time to value for passwordless authentication. The reason is because Gartner predicts that FIDO2 methods will dominate in the midterm, and expect that more than 25% of companies will adopt FIDO2 in the next three years. By choosing FIDO2 as an option for authentication products now, companies can prepare for future compatibility.
The study confirms that FIDO2 has gained significant industry recognition. FIDO2 authentication enables companies and online services to provide users with strong authentication options by combining ease of use with a high level of security. Users can authenticate via the browser or an external authenticator, choosing from a wide array of devices used daily, including mobile phones and security keys. As a result, companies protect themselves and their users from password-related risks, such as phishing, man-in-the-middle attacks, and exploitation of stolen credentials.
How A Phishing Attack Is Stopped Under FIDO2
The FIDO2 authentication protocol helps prevent phishing attacks by using cryptography keys and challenges to verify the legitimacy of the server request (such as a request to login or to authenticate). Under FIDO2, the website or service has specific keys linked to this service (e.g. an e-banking website). To login or make a transaction, the user needs to prove their identity with a device or biometric authentication. The user then has their own private key, which they can use in combination with an account on any website that supports FIDO2. The private key is used for encrypting messages sent from the website and decrypting messages received from it.
If the private keys do not match the assigned service, the authentication fails and the user is not able to login or make a transaction. The method prevents a phishing attack because FIDO2 does not allow the user to authenticate on an illegitimate service or website. The graphic above shows how the FIDO2 private keys speak between the user and service. The attacker cannot touch or manipulate the FIDO2 keys, hence authentication is blocked.
When Fallbacks Weaken FIDO2
Although FIDO2 offers many advantages, it also has some disadvantages. It does not work well with fallback solutions like 2FA and SMS, for example. Fallback solutions are often used for users who do not have access to newer devices with FIDO2 support or if FIDO2 is blocked due to a lack of internet connection. If users are traveling and do not have an external FIDO2 device with them, they will not be able to log in. To compensate, companies implement 2FA as fallbacks that take us back to our initial problem with 2FA: these users remain vulnerable to phishing attacks.
The upside, however, is that FIDO2, although still not widely adopted, is growing. Companies can therefore get ahead of the game by investing in FIDO2 solutions and riding the adoption wave to ensure high security and convenience for their users. As acceptance increases, the shortcomings of FIDO2 will also be overcome.