We shouldn’t be that surprised. A couple of weeks ago, Crypto.com, one of the fastest-growing cryptocurrency platforms, was hacked on January 17, 2022. One area mentioned by the company as an issue was a gap in its multi-factor authentication (MFA) system.
A statement issued by Crypto.com on January 20th said, “transactions were being approved without the 2FA authentication control being inputted by the user,” and the company allowed the transactions to go through without the users providing the one-time password. The company did not specify whether hackers intercepted one-time passwords, whether Crypto.com’s system allowed transactions to go through without the passwords, or whether something else occurred.
While the situation isn’t a good look for Crypto.com, they did many things right in responding to the attack. As soon as its risk management system discovered the attack, it suspended withdrawals across the platform, reimbursed customers who were affected, and “revamped and migrated to a completely new 2FA infrastructure,” according to the company statement. The company also announced new conditions on which it would insure accounts in the future.
The pandemic has accelerated digital finance, and many firms have accelerated their digital transformation plans. However, as the Crypto.com experience highlights, the increasing pressure to bring products and services to market faster also requires a redoubled effort to ensure protecting customers and organizations from criminal activity is part of the plan. Firms that implement security solutions that customers understand and appreciate will improve the overall customer experience as well as reduce operational risk.
The Crypto.com hack exposes shortcomings of multi-factor authentication. Information security is complex, never ending, and daunting. Purely reactive security deployments can lead to a false sense of security or a complete sense of hopelessness. Strong two-factor authentication is certainly better than no authentication from a security perspective, but alone it is usually not sufficient to prevent attacks. As with most security strategies, defeating MFA evasion requires a multilayered approach: multiple tools and layers of security are typically required.
Our experience indicates that leading financial organizations provide customers with the ability to select their preferred method(s) of MFA. Customers that can choose their own method of MFA will typically do so based on their personal level of risk aversion, along with their comfort with and understanding of various technologies. These can include one-time passcodes, push notifications, inherence/biometrics, knowledge-based answers, and a security key, allowing each customer to select a preferred security method that meets or exceeds their needs. Doing so improves the customer experience, creates trust between the customer and company, increases revenue, and reduces the risk to a company’s reputation.
However, implementing an end-to-end MFA program is challenging. It requires all the stages of a full program lifecycle, including extensive research, planning, designing, development, marketing, and then measuring success.
If you are interested in learning about the different types of MFA methods available and how Perficient can support your MFA initiatives, download our perspective, Unpacking Multi-Factor Authentication and Its Key Benefits in Financial Services.