Does Your Credit Union Use Text-Based Two Factor Authentication?

One of the most important tools that credit unions have to manage identity is two-factor authentication (2FA). Most credit unions and financial institutions have something like 2FA in place. But not all 2FA solutions are created equal.

How can you be sure that your 2FA setup is secure? How will you proof it against sophisticated exploits and future attacks?

 

Why Two Factor Authentication?

Most people have terrible passwords. I’ll admit, when I first got my work laptop, I kept the 12345 placeholder password for longer than anybody should. And if that puts you on edge—and it should—then you’ll keel over when you learn that most passwords are just as predictable.

It’s a terrible situation for IT and security types who just want us all to be on our best behavior. It has called for ever-increasing password strengths that must be reset every six months. All that makes it hard for any of us to remember what we just changed it to—and makes it hard for institutions to trust us when we say it’s us.

Because… couldn’t it be anybody?

2FA came about to add a second layer of protection to passwords. It ensures that the person entering the password is who they say they are—by way of email, SMS, or app authentication.

 

Two-Factor Authentication Vulnerabilities

There is no hack-proof system. There are no computer systems without exploits, weaknesses, or vulnerabilities. There’s such thing as extremely secure, but there’s no such thing as impenetrable.

Here are a few things to look out for:

  1. Although 2FA was created initially to combat phishing, there are ways past the extra layer of security. For example, fraudsters may set up a fake website, send a login email, and use the user-supplied information to log into the actual site.
  2. Social engineering. This is any situation in which someone convinces a user to hand over their credentials. You’d be surprised at how convincing these attacks can be.
  3. SMS spoofing. If you’ve received a spam call that looks like it was from a nearby area code, then you’re probably familiar with spoofed phone numbers. As you have probably guessed, number spoofing can threaten SMS-based 2FA.

There are a handful of other ways to bypass 2FA as well, although I won’t enumerate them there. The above examples merely illustrate the fallibility of any security measure.

However, to mitigate further risk, your credit union has two options…

 

How to Strengthen Two-Factor Authentication Security

It’s worth reiterating now that if you already have 2FA in place, then you’re probably doing pretty well, security-wise. You might want to think about improving your posture now to secure your members against whatever 2020 and 2021 cook up next. If you don’t have it in place, you should absolutely start with one of the solutions below.

There are two ways to increase your 2FA security. Each has its own merits.

  1. Get an assessment of your current 2FA technology by an independent third party. Not all 2FA solutions are created equal. Getting yours reviewed by a third party can help you identify the best option for you and your members—and may also save you money!
  2. Explore blockchain technology. If you want to future-proof your security and ensure that your 2FA system is technologically unhackable, then something like MemberPass™ might be right for you.

Of course, if you have no 2FA set up already, you absolutely must get on that now. Personally, I couldn’t imagine joining any financial institution that doesn’t offer 2FA. Not only will it protect your members, but it will also ensure your continued security.

 

Additional Reading

As always, we encourage you to subscribe to our blog. We spend time on it because we think we can provide interesting new angles on (what feel like) old problems.

But if you want to learn more about security and SaaS assessments, our friends at Hypershift know more than we do. And if you want to see how blockchain technology can transform the entire member experience, the folks at CULedger are doing fantastic security-minded work there.