ATLANTA - You've raced to meet the financial regulators' deadline to implement multi-factor authentication, so now you're safe, right? Not necessarily.
Fraudsters have managed to find a way to make the guidance issued by the Federal Financial Institution Examination Council (FFIEC) work in their favor, according to one security provider.
SecureWorks, a managed security provider, has taken down several phishing schemes that found a way to use the dual authentication signup process to lure banking and credit union customers to bogus phishing websites.
"The phishers are scamming their victims by directing them to sign up for their bank or credit union's new dual authentication solution intended to help protect their online banking activities from fraud," SecureWorks revealed. "The phishing scam directs the institution's customers, via an e-mail, to enter their account number and PIN so that they can register for their new 'dual authentication code and phrase.' The e-mail lets them know that a dual authentication code and phrase is now required to do their online banking, as directed by the FFIEC."
The deadline for financial institutions to go to a multi-factor authentication system is Dec. 31.
"We thought this latest phishing scam was extremely clever and quite ironic considering the phishers used the dual authentication guidance, which was developed to protect online banking from fraud, to try and scam their victims," said Erik Petersen, VP of Professional Services for SecureWorks and director of SecureWorks' phishing takedown services. "The phishers behind these attacks used a combination of phishing and hacking to launch their attack."
