Multi-Factor Authentication (MFA) scams are on the rise. In a new scam, cyber criminals obtain your login credentials and will send you an MFA request. They will contact you for the code. Once they have access to your MFA, they are able to update the settings to gain access to your account and any data that may be in there.
WHAT IS MULTI-FACTOR AUTHENTICATION?
Multi-Factor Authentication (MFA) is a multi-step process that ensures that your accounts are safe. Also, MFA verifies that you are the only person that can access your account even if someone has your password. Additionally, Multi-factor Authentication is a method that requires the user to provide two or more verification methods to gain access. Rather than just asking for a username and password, MFA requires one or more additional verification. With MFA, the likelihood of a successful cyber-attack or fraud decreases.
For example, if you log into PHFCUOnline or our mobile apps using a device that we do not recognize, our system will ask for you to take additional steps. In addition to entering your password, we will also ask you to enter a security code that you can choose to receive via email or text message. Once authenticating your account, you will only need to authenticate your account if you erase the device’s history, use a different browser, or change your password.
HOW DOES MULTI-FACTOR AUTHENTICATION WORK?
Multi-Factor Authentication is a system to verify that someone is who they say they are. Typically, there are three methods.
Something you…
- know (username, password, security questions, one-time password, or a code)
- have (Codes sent to you via text or email, Calls to your mobile device, Software certificates)
- you are (facial recognition, fingerprint, voice recognition, iris scanning, or some other biometric verification).
If only two factors are present, it’s called two-factor authentication (2FA). For example, you enter your debit card at an ATM. You need to enter something you have (the debit card) and something you know (your PIN). Often, MFA is used interchangeably with two-factor authentication. 2FA is basically a subset of MFA.
MFA can also involve location scanning. If you are in Hawaii and there is a log-in attempt or your cards are used from another country or state, you could be the victim of a hacking attempt.
Have you ever been asked to enter your zip code when you buy gas? That would be an example of an older type of MFA.
WHAT THE CRIMINAL NEEDS & MFA SCAMS
With the several data breaches that have occurred, chances are your username and password are in the wrong hands. This is why using the same password for multiple sites is a very bad idea.
With your username and password in the fraudster’s hands, they just need to learn your authentication code to gain access to your account.
HOW DO CRIMINALS GET YOUR MULTI-FACTOR AUTHENTICATION?
There are several methods a criminal may try to obtain your code. The most common ways include:
- They send you phishing text messages stating your account may be compromised. Accordingly, they request that you text-reply the authorization code you are about to receive to confirm your identity.
- You receive a call from someone stating that they are from the “Fraud Department” and they mention that fraud has been detected on your account. As a result, they want to confirm that they are speaking to the right person. The person then states that they will send you an authentication code. Next, they request that you provide that code to them. The perpetrator then uses that code to log into your account. From there, they transfer your funds out of your account.
- You receive a letter or email, stating that your account has been compromised and that you need to visit a site to confirm your login information. You click on the link and enter your username, password, and your phone number associated with the account. They now have your login details. The fraudster will go to the real site and enter your information, which sends an authorization code to you. Soon, you receive a call, text, or email stating that it’s the financial institution or organization. They will mention that they have noticed that you are having issues logging in and need you to verify your information. The fraudster will then ask for the authorization code that you just received.
If you fall for this phishing attempt and provide the authentication code back to the bad guys, they immediately enter that code, finalize the login for that target website, and immediately change your information. Unfortunately, you are now locked out of your account and they have access to your money.
HOW TO PROTECT YOURSELF
- NEVER share your authorization code.
- If you are receiving authorization codes to your mobile device, your account associated with that site may have had the password compromised. Change the password for that account by directly logging into that website (type the website address directly in your web browser’s address bar). If you cannot log in, contact the financial institution or company immediately.
- Don’t be afraid to ask your IT department for assistance or that computer security-savvy friend you know for guidance.
- DO NOT provide any personal financial information to the caller or in an email.
- You SHOULD verify the legitimacy of potential service providers before supplying personal financial information or entering a business transaction.
- If you suspect that your personal information has been compromised, contact your financial institution and local law enforcement officials.
- To file a complaint about a suspected fraudulent email, contact the Federal Bureau of Investigation’s Internet Crime Complaint Center at www.ic3.gov.
BEST PRACTICES FOR KEEPING YOUR ACCOUNTS SAFE ONLINE
One of the keys to multifactor authentication is having accurate contact information for you on file so you can authenticate your login. If we don’t have your correct phone number or email, you may not be able to log in to online or mobile banking.
In addition to the protections Pearl Hawaii has in place, we encourage you to use these best practices to help keep your accounts safe online:
- Change your passwords frequently
- Monitor your accounts regularly
- Authorize account alerts
- Keep your apps and devices up-to-date with the most recent system updates
- Run anti-virus software
- Turn on your firewall
- Avoid unsecured wireless access points
- Avoid clicking on links in unsolicited emails
Pearl Hawaii will never contact you asking you for your passwords, Social Security numbers, PINs, credit or debit card numbers, your verification code, or other confidential information. If anyone asks for this information, it is probably a scam.
PASSWORDS & SECURING YOUR DEVICE
- Create a strong password for your mobile device that is easy to remember, but hard to guess. Strong passwords include uppercase, lowercase, symbols, and numbers.
- Do not use common words, names, birthdays, or any personal information in your password.
- Use your device’s auto-lock feature. It is recommended that you set your auto-lock to take effect 5 minutes from the last activity.
- Do not share your device with others. Since you cannot create multiple user accounts on your mobile device like you can when logging into a computer, it is best not to share your device with anyone.
- Never disclose your passwords or write them down.
- Use unique passwords for all of your online accounts so one breach doesn’t turn into many.
- Review your accounts frequently. Online account access and alerts can help you spot fraudulent transactions quickly.
USEFUL LINKS
- To learn more about identity theft fraud safety, visit ID Theft Center.
- If you think you’ve been a victim of identity theft, contact the Federal Trade Commission (FTC) at 877-IDTHEFT (438-4338) or visit the Federal Trade Commission’s site to learn more.
- If you believe your Social Security Number is being used fraudulently contact the Social Security Administration at (800) 772-1213.
- It’s a good idea to get a copy of your credit report each year from each credit-reporting agency. You can get a free credit report yearly from the Annual Credit Report website at annualcreditreport.com or by calling 1-877-322-8228 where you will go through a simple verification process over the phone. It is important that you obtain and review a copy of your credit report once a year to make sure your information is accurate.
- For financial literacy, check out Upgrade| our blog or our financial education page.
MORE AT PEARL HAWAII
- What Is Identity Theft?
- Guard Against Multi-Factor Authentication Scams
- Beware of Romance Scams
- What is Financial Elder Abuse? Understanding Finacial Exploitation
- Improve Account Security With Transaction Alerts
- Your Account Security & Regulation E
- Protecting Yourself From Social Media Scams
- The Art of Social Engineering
- Protecting Yourself From Online Crime | Phishing, Smishing, and Vishing
- Online Security For Your Accounts
- Pearl Wallet | Protect You And Your Cards
RESOURCES
- Internet Crime Complaint Center
- Federal Trade Commission
- 10 Things You Can Do to Avoid Fraud
- FTC: Privacy, Identity & Online Security
- Internal Revenue Service (IRS): Scams Targeting Taxpayers
- Tips for Safe Gift Card Use: Retail Gift Card Association
- ftc.gov
- identitytheft.gov
- Consumer Financial Protection Bureau
- The Department of Justice