Alexander Pope wrote, “To err is human; to forgive, divine.” For cybersecurity professionals, forgiving (and compensating for) human error by incorporating additional backup measures is critical to preventing fraud.
The recent spate of man-in-the-middle attacks on customers of peer-to-peer (P2P) payment platforms is a case in point.
A man-in-the-middle attack occurs when “attackers interrupt an existing conversation or data transfer. After inserting themselves in the ‘middle’ of the transfer, the attackers pretend to be both legitimate participants. This enables an attacker to intercept information and data from either party while also sending malicious links or other information to both legitimate participants in a way that might not be detected until it is too late.” Man-in-the-middle attacks are especially disorienting because victims believe they are speaking to a legitimate business but are actually handing over the keys to their account to a fraudster.
In the P2P payments context, the victim receives an SMS from an unknown number sent by a fraudster claiming to be from the fraud department of a well-known P2P company. The text message warns of a recent suspicious transaction. Worried and confused, the victim responds to the message and explains that they did not authorize the (fictitious) charge in question. The fraudster, taking advantage of the victim’s urgency, asks the victim to verify their username to “clear the charges.” Without thinking, the victim shares their username– after all, a username isn’t confidential. The fraudster then goes to the P2P website or app, enters the victim’s username, and requests a password reset. Moments later, the victim receives a one-time password (OTP) and dutifully sends it to the fraudster, ostensibly confirming their identity and clearing the charges. Unfortunately, it’s all a scam. In minutes, the fraudster gained access to the victim’s account with the victim’s username and OTP, reset the victim’s password, and stole their money.
For many cybersecurity professionals, it’s difficult to imagine how so many people can be fooled via social engineering to hand over a one-time password (OTP) to a stranger via SMS. The reality, however, is that many consumers are unfamiliar with and overwhelmed by the ever-increasing security measures placed on our digital lives, and, let’s face it, everybody makes mistakes.
To protect customers from social engineering and man-in-the-middle fraud, companies need to move beyond the first generation of OTPs and fortify their multi-factor authentication (MFA) flow.
Here are four steps you can take today to fortify your company’s multi-factor authentication flow:
Although it would be ideal if human error could be removed from the security equation, the truth is that consumers will continue to fall prey to social engineering, including man-in-the-middle schemes, if companies do not step up to provide additional layers of security. Fortunately, companies today have access to the technology they need to protect their business and their consumers.
If you’re interested in preventing man-in-the-middle attacks and other forms of fraud while accelerating onboarding and boosting revenue, contact us using the form below.
Join over 1,000 businesses that rely on Prove across multiple industries, including banking, FinTech, healthcare, insurance, and e-commerce. Contact us today.
Contact us to learn how leading companies are using Prove Pre-Fill to modernize the account creation process by shaving off clicks and keystrokes that kill conversion.
Get in touch to find out how we can help you identify your customers at every stage of their journey and offer them seamless and secure experiences.
Let our expert team guide you through our identity verification and authentication solutions. Select a date and time that works for you.
Find out how we can help you deliver seamless and secure customer experiences that comply with PSD2/SCA. Select a date and time that works for you.
Download Aite-Novarica Group’s full report about Prove Pre-Fill, including a product overview, customer results, and how the product works.