In the battle to prevent identity thieves from being able to access online the bank accounts of their victims, many banks in Austria, Japan, Sweden and Switzerland have gone beyond the simple password to the more secure (supposedly) two-factor identification. With two-factor identification, in order to access their accounts bank customers must enter a second one-time password that has been emailed or texted to the customer. The thought was that by requiring this second password, identity thieves who may have hacked the customer’s password still would not be able to access the customer’s account because the identity thief would not have the required second password sent by the bank to the customer’s smartphone. However, now it has been uncovered by computer security company Trend Micro that identity thieves have found a way to defeat two-factor identification. As with so many identity thefts, this one starts when the customer unwittingly clicks on a link in a phishing email or downloads an attachment in a phishing email that appears to be from a legitimate source. Unfortunately, when the victim clicks on the link or downloads the attachment, he or she is actually downloading malware that sends the victim to a phony bank website when the customer attempts to do online banking. Once at the phony website, the victim is prompted to enter their account details, passwords and personal identification number. They are then prompted to download a mobile application found in Google’s Android store that is represented to provide enhanced security, but in actuality permits the identity thief to intercept the second password that banks would send to the customer. Armed with all of this data, the identity thief is able to gain full access to the victim’s bank account and empty it.
Although two-factor identification is an improvement over the present password system used by many financial institutions in the United States and other parts of the world, it is still vulnerable. Business and government must come up with better authentication protocols. Meanwhile as with so many of these complex identity theft schemes, this one requires the victim to download the necessary malware that makes the identity theft possible. The solution is a simple one. As I have warned you many times. Never click on a link in an email or download an attachment in an email unless you are absolutely sure that it is legitimate and the only way to do this is to independently call or email the real company or person purportedly sending the email at an address or telephone number that you know is accurate. For even greater security, you may wish to have a separate computer for financial transactions where you do no emails and click on no links and download no attachments.