Multi-Factor Authentication (MFA) scams are on the rise. In a new scam, cyber criminals obtain your login credentials and will send you an MFA request. They will contact you for the code. Once they have access to your MFA, they are able to update the settings to gain access to your account and any data that may be in there.
WHAT IS MULTI-FACTOR AUTHENTICATION?
Multi-Factor Authentication (MFA) is a multi-step process that ensures that your accounts are safe. Also, MFA verifies that you are the only person that can access your account even if someone has your password. Additionally, Multi-factor Authentication is a method that requires the user to provide two or more verification methods to gain access. Rather than just asking for a username and password, MFA requires one or more additional verification. With MFA, the likelihood of a successful cyber-attack or fraud decreases.
For example, if you log into PHFCUOnline or our mobile apps using a device that we do not recognize, our system will ask for you to take additional steps. In addition to entering your password, we will also ask you to enter a security code that you can choose to receive via email or text message. Once authenticating your account, you will only need to authenticate your account if you erase the device’s history, use a different browser, or change your password.
HOW DOES MULTI-FACTOR AUTHENTICATION WORK?
Multi-Factor Authentication is a system to verify that someone is who they say they are. Typically, there are three methods.
Something you…
know (username, password, security questions, one-time password, or a code)
have (Codes sent to you via text or email, Calls to your mobile device, Software certificates)
you are (facial recognition, fingerprint, voice recognition, iris scanning, or some other biometric verification).
If only two factors are present, it’s called two-factor authentication (2FA). For example, you enter your debit card at an ATM. You need to enter something you have (the debit card) and something you know (your PIN). Often, MFA is used interchangeably with two-factor authentication. 2FA is basically a subset of MFA.
MFA can also involve location scanning. If you are in Hawaii and there is a log-in attempt or your cards are used from another country or state, you could be the victim of a hacking attempt.
Have you ever been asked to enter your zip code when you buy gas? That would be an example of an older type of MFA.
WHAT THE CRIMINAL NEEDS & MFA SCAMS
With the several data breaches that have occurred, chances are your username and password are in the wrong hands. This is why using the same password for multiple sites is a very bad idea.
With your username and password in the fraudster’s hands, they just need to learn your authentication code to gain access to your account.
HOW DO CRIMINALS GET YOUR MULTI-FACTOR AUTHENTICATION?
There are several methods a criminal may try to obtain your code. The most common ways include:
They send you phishing text messages stating your account may be compromised. Accordingly, they request that you text-reply the authorization code you are about to receive to confirm your identity.
You receive a call from someone stating that they are from the “Fraud Department” and they mention that fraud has been detected on your account. As a result, they want to confirm that they are speaking to the right person. The person then states that they will send you an authentication code. Next, they request that you provide that code to them. The perpetrator then uses that code to log into your account. From there, they transfer your funds out of your account.
You receive a letter or email, stating that your account has been compromised and that you need to visit a site to confirm your login information. You click on the link and enter your username, password, and your phone number associated with the account. They now have your login details. The fraudster will go to the real site and enter your information, which sends an authorization code to you. Soon, you receive a call, text, or email stating that it’s the financial institution or organization. They will mention that they have noticed that you are having issues logging in and need you to verify your information. The fraudster will then ask for the authorization code that you just received.
If you fall for this phishing attempt and provide the authentication code back to the bad guys, they immediately enter that code, finalize the login for that target website, and immediately change your information. Unfortunately, you are now locked out of your account and they have access to your money.
HOW TO PROTECT YOURSELF
NEVERshare your authorization code.
If you are receiving authorization codes to your mobile device, your account associated with that site may have had the password compromised. Change the password for that account by directly logging into that website (type the website address directly in your web browser’s address bar). If you cannot log in, contact the financial institution or company immediately.
Don’t be afraid to ask your IT department for assistance or that computer security-savvy friend you know for guidance.
DO NOT provide any personal financial information to the caller or in an email.
You SHOULD verify the legitimacy of potential service providers before supplying personal financial information or entering a business transaction.
If you suspect that your personal information has been compromised, contact your financial institution and local law enforcement officials.
To file a complaint about a suspected fraudulent email, contact the Federal Bureau of Investigation’s Internet Crime Complaint Center at www.ic3.gov.
BEST PRACTICES FOR KEEPING YOUR ACCOUNTS SAFE ONLINE
One of the keys to multifactor authentication is having accurate contact information for you on file so you can authenticate your login. If we don’t have your correct phone number or email, you may not be able to log in to online or mobile banking.
In addition to the protections Pearl Hawaii has in place, we encourage you to use these best practices to help keep your accounts safe online:
Change your passwords frequently
Monitor your accounts regularly
Authorize account alerts
Keep your apps and devices up-to-date with the most recent system updates
Run anti-virus software
Turn on your firewall
Avoid unsecured wireless access points
Avoid clicking on links in unsolicited emails
Pearl Hawaii will never contact you asking you for your passwords, Social Security numbers, PINs, credit or debit card numbers, your verification code, or other confidential information. If anyone asks for this information, it is probably a scam.
PASSWORDS & SECURING YOUR DEVICE
Create a strong password for your mobile device that is easy to remember, but hard to guess. Strong passwords include uppercase, lowercase, symbols, and numbers.
Do not use common words, names, birthdays, or any personal information in your password.
Use your device’s auto-lock feature. It is recommended that you set your auto-lock to take effect 5 minutes from the last activity.
Do not share your device with others. Since you cannot create multiple user accounts on your mobile device like you can when logging into a computer, it is best not to share your device with anyone.
Never disclose your passwords or write them down.
Use unique passwords for all of your online accounts so one breach doesn’t turn into many.
Review your accounts frequently. Online account access and alerts can help you spot fraudulent transactions quickly.
USEFUL LINKS
To learn more about identity theft fraud safety, visit ID Theft Center.
If you think you’ve been a victim of identity theft, contact the Federal Trade Commission (FTC) at 877-IDTHEFT (438-4338) or visit the Federal Trade Commission’s site to learn more.
If you believe your Social Security Number is being used fraudulently contact the Social Security Administration at (800) 772-1213.
It’s a good idea to get a copy of your credit report each year from each credit-reporting agency. You can get a free credit report yearly from the Annual Credit Report website at annualcreditreport.comor by calling 1-877-322-8228 where you will go through a simple verification process over the phone. It is important that you obtain and review a copy of your credit report once a year to make sure your information is accurate.
In consectetuer turpis ut velit. Aenean ut eros et nisl sagittis vestibulum. Aenean posuere, tortor sed cursus feugiat, nunc augue blandit nunc, eu sollicitudin urna dolor sagittis lacus. Quisque id mi. Phasellus viverra nulla ut metus varius laoreet.
Integer tincidunt. Nullam nulla eros, ultricies sit amet, nonummy id, imperdiet feugiat, pede. Quisque ut nisi. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; In ac dui quis mi consectetuer lacinia. Vivamus quis mi.
Test Modal 2
Sed a libero. Nullam nulla eros, ultricies sit amet, nonummy id, imperdiet feugiat, pede. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Phasellus blandit leo ut odio. Nullam nulla eros, ultricies sit amet, nonummy id, imperdiet feugiat, pede.
Ut varius tincidunt libero. Cras ultricies mi eu turpis hendrerit fringilla. Morbi ac felis. Vestibulum facilisis, purus nec pulvinar iaculis, ligula mi congue nunc, vitae euismod ligula urna in dolor. Donec mollis hendrerit risus.
Members with an existing PHFCUOnline username are experiencing problems with logging into the new home banking site. We are currently working quickly to resolve this issue. The work around is to click on the Forgotten Password link and to follow the onscreen instructions.
· Send it in the mail: PEARL HAWAII FEDERAL CREDIT UNION, Attn: Human Resources Dept., 94-449 Ukee Street, Waipahu, HI 96797
SYSTEM MAINTENANCE (SAT, 12/2, 3 PM – 8 PM HST)
. Online Banking, MTS, and Debit/ATM cards will be affected during this time.
Leaving Our Website
By accessing this link, you will be leaving the Credit Union’s web site and entering a web site hosted by another party.
Although the Credit Union has approved this as a reliable partner site, please be advised that you will no longer be subject to, or under the protection of, the privacy and security policies of the Credit Union’s web site. The other party is solely responsible for the content of its web site.
We encourage you to read and evaluate the privacy and security policies on the site you are entering, which may be different than those of the Credit Union.
