skip to main content

Strengthening the Security of Consumer Authentication through Phishing-Resistant Multi-Factor Authentication

This white paper highlights the challenges of traditional authentication methods, especially the vulnerabilities of passwords to phishing attacks. Phishing has become a major security threat in the U.S., reported as the number one fraud crime in 2022, and has prompted a requirement for all U.S. Federal agencies to implement phishing-resistant multi-factor authentication (MFA) by 2024.

While common MFA approaches (e.g., one-time passcodes) may thwart some phishing attacks, fraudsters use schemes to bypass MFA and gain access to user accounts. The white paper discusses various phishing-based MFA bypass schemes, such as social engineering, one-time-password (OTP) relay, and the use of bots and phishing kits, that payments industry stakeholders have experienced. Generative artificial intelligence (AI) is further altering the payments fraud landscape, providing new tools for fraud perpetrators.

Payments industry stakeholders are advised to implement countermeasures that can detect fraud, including monitoring user activity and educating customers. In addition, businesses are encouraged to implement some type of MFA in the short term – even if only OTP or push-based notifications – while developing a longer-term strategy. Mitigation tactics for financial institutions and merchants include monitoring customer activity, complying with the Payment Card Industry Data Security Standard (PCI DSS), educating the customer so that they maintain their vigilance to phishing, and using machine learning to identify suspicious actor behavior.

Read More – Source