Two-factor authentication (2FA) was developed decades ago as a solution to the eternally frustrating problem of verifying who you are to an automated online system—like online banking.
Logging on or, more precisely, authentication, can be done many different ways—with passwords the most familiar. But, passwords can be stolen or guessed, and we humans are easily fooled into giving them away to scammers, so the two-factor approach is popular because it improves on this by requiring a second, different type of proof as part of the process. Two login steps are better than one.
Most of us are comfortable using SMS codes sent to our mobile phones, but there are many other examples around such as synchronised key fobs, fingerprinting, USBs and even voice recognition. Proving who you are is made stronger by adding the second factor, but this has led many people to have a false sense that this somehow means they ‘are secure’ only because we can’t imagine how a hacker could possibly access something we physically hold, like the banking Fob device or our mobile phone.
In every cyber heist the banking Fob or SMS text message carrying a one-time-passcode was either bypassed or defeated.
There’s a lot more to security—there’s even a lot more (technically speaking) to logging on than just double checking it’s really you. 2FA only really addresses that first authentication part of the process of interacting with a website, which is just one part of a bigger security concern you need to be addressing.
The false sense of security created by 2FA is, of course, entirely understandable because it’s really hard for most of us to grasp the technical complexities of how a human using a computer actually logs on to a banking website and manages their money online. It is a multi-layered process with many technical elements to keep secure: the communications connection your computer makes with the banking website, the typing of your password on your keyboard, the encryption of information and its transmission through the internet to the host servers, the processing and response back to your computer, and even what you eventually see on your screen.
Hackers consider all of the steps in your security chain and are continually evolving new techniques. For example: 60 Minutes ran a story on a little electronic device that allows anyone to listen in to your mobile phone and receive your text messages. They used this onscreen to hack Nick Xenaphon’s phone live from Berlin. Hacker’s no longer need to impersonate their victim to access the SMS text from the bank. A new hacking technique called Man-in-the-Browser is where the hacker is literally in your browser while you’re performing banking and can change account details, amounts, and even control how these are echoed and displayed on screen.
2FA is certainly an improvement to the logon part of the security problem, but not a solution to security online. The most vulnerable point in any online system is you, your computer and your network. The bank at the other end of the internet can’t secure your part of that information exchange.
There are new technologies coming in now which promise a higher level of security. One of the most basic techniques you can do for yourself is have a dedicated laptop not used for anything other than banking. A commercial example of this is BankVaultOnline.com which essentially guarantees a pristine new computer without any history is created each login. You continue to use your banking Fob or SMS text as normal but using this system it makes it impossible for hackers to ever get your login details to begin with. It secures online banking and other critically important transactions.
2FA and dual-2FA has raised the bar against attackers and it should definitely be used. But don’t make the mistake of thinking 2FA is impenetrable just because you can’t imagine how hackers defeat it. You can’t imagine how a magician saws a lady in half either but once you know the trick it’s normally quite simple.