Understanding Multi-Factor Authentication

Multi-factor authentication (MFA) is an effective way to strengthen protection against unauthorized access to your accounts. Merck Employees FCU encourages all members to utilize MFA whenever it is available.

So, what is multi-factor authentication? By definition, it is an authentication system that requires more than one distinct authentication factor for successful authentication. In banking, we would use the example of logging into online banking. To log in, you will need the correct username, password and either the correct answer to a security question or verification via a code sent to your phone via text or voice call. This is just one example, but one of the more common.

Still, MFA is not foolproof. Remember, for these criminals, no amount of work is too hard to get these precious details, which could result in a big payout for them. According to Cybersecurity Ventures, who expects global cybercrime to grow by 15% per year over the next five years reaching $10.5 trillion USD annually by 2025, this growth represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, is exponentially larger than the damage inflicted from natural disasters in a year, and will be more profitable than the global trade of all major illegal drugs combined. [i]

Here are some ways that your details could be obtained and you should be aware of to protect yourself:

• Phishing attacks: Cybercriminals generate emails that direct users to fake login pages that look like legitimate login pages and trick users into entering their credentials. The attacker can then use these credentials to gain access to the user’s account. These messages have also been known to come via text message. Some cyber companies estimate that Americans lost $40 billion in 2022 to phishing scams alone[ii] and 90% of all attacks begin with phishing[iii].
• Social engineering: Attackers can use social engineering techniques to trick users into revealing their MFA codes. For example, an attacker may post as a legitimate support agent and request the user’s MFA code under the pretense of troubleshooting an issue.
• SIM swapping: Some attackers have been successful in contacting a victim’s mobile carrier and convincing them to transfer the victim’s phone number to their SIM card. Once the attacker has control of the victim’s phone number, they can use it to bypass the MFA on the victim’s accounts that rely on SMS codes or voice calls to that phone number.

• Man-in-the-middle attacks: Attackers can intercept the communication between the user and the authentication server and redirect the user to a fake login page. The attacker can then use a user's credentials to gain access to the user's account.

• Brute-force attacks: Attackers can use automated tools to generate many possible codes until they find the correct one. This technique can be effective against weak MFA codes if the attacker has access to a user's device.

Mitigations:

1. Educate yourself. Read articles and stay up-to-date on new methods of attack. Be alert and be sure to question anything that seems suspicious. The worse case scenario is you slow down the process for a legitimate transaction, the best case, you stop fraud.

2. Use strong MFA methods: Use time-based one-time passwords (TOTP) or hardware tokens, instead of relying on SMS codes or emails. While this isn’t yet available at Merck Employees FCU we are working on making this possible in the future.

4. Monitor for suspicious activity: Monitor your accounts for suspicious activity. Many providers even have audit logs of past logins and what information was updated or changed on past visits. Some include dates and even IP address information.

5. Keep software and devices up to date: Install the latest security patches and updates. We often get complaints from members about having to update their devices. If you are using a device that is no longer supported, there is a reason for it. Make sure to only use supported devices purchased from reputable sources.

The credit union is always available to answer any questions you may have related to your online safety and security. If we are unable to answer the question, we will track down an expert or point you in the right direction to get the information.