Multi-Factor Authentication Provides an Extra Layer of Cyber Authorization

Employing multi-factor authentication on important online accounts can drastically improve security and decrease the likelihood of account takeover or misdirected payment fraud.

What is Multi-Factor Authentication?

Multi-factor authentication consists of using more than one process to verify that the end-user is authorized to perform the action on a device that they are trying to do. For example, many online banking applications require a user name and password. As a second step, answers to a preselected question are required, or a code sent via text or phone to be entered into the system.

Securing an account and ensuring that only authorized payments are made using multi-factor authentication is an easy process, and will greatly improve security against the types of incidents that cause the most frequent cyber claims.

Setting up two-step verification first requires that the system administrator has enabled the organization to do so. Once the administrator has enabled two-step verification, your account can be set up.

Employ Multi-factor Authentication for Payments

Setting up multi-factor authentication for making payments may require adjustments over time to meet changing organizational requirements. Using multi-factor authentication to make payments is easier because it consists of establishing and employing an additional step or two for employees tasked with making payments. Rather than a technical solution, the new steps are established by policy.

Examples of multi-factor authentication for making payments

One way to avoid misdirected payment fraud is to verify requests by vendors to change the point-of-contact, mailing address or their direct deposit/wiring instructions.

Verification should involve multiple contacts with the vendor seeking to change the information and should not take place using the method the vendor used to make the request.

For instance, if the change request was made by email, contact the point-of-contact on the account by phone and/or snail mail to confirm the request, because the email could have come from an eCriminal.

Similarly, if the change request comes by phone, confirm it by calling the point-of-contact at the number listed on their account information and/or confirm by snail mail. Note that some companies, even when they have employed multiple levels of identity verification have still been deceived by sophisticated bad actors. However, the stronger your defenses, the less likely it will be that you will become a victim of misdirected payment fraud.

An additional way to avoid misdirected payment fraud is to verify all payment and purchase requests above an established level with the person or department requesting payment.

Most successful misdirected payment fraud schemes rely on the fact that employees will do just about anything a senior employee or manager asks them to do. So, when an employee receives an email that looks like it came from his manager directing them to purchase $1,000 worth of gift cards online and provides instructions for delivery, the employee often follows through without questioning.

However, if employees are informed that before they make a payment or purchase above a certain level that they are required to confirm by phone or face-to-face with the unit or person making the request, fraudulent or misdirected payments and purchases can be reduced dramatically.

Although the cyber risk landscape frequently changes, account takeovers and misdirected payment frauds are the most frequent and severe cyber claims seen so far this year. Setting up multi-factor authentication on important online accounts, and on issuing payments is a great way to protect from account hijacking and misdirected payment fraud.

Click here for HSB’s other Cyber blogs on Equipment Connection. 

Want more information like this delivered straight to your inbox? Click the “Follow” button on the bottom right, and enter your email address.

© 2019 The Hartford Steam Boiler Inspection and Insurance Company. All rights reserved. This article is for informational purposes only and is not intended to convey or constitute legal advice. HSB makes no warranties or representations as to the accuracy or completeness of the content herein. Under no circumstances shall HSB or any party involved in creating or delivering this article be liable to you for any loss or damage that results from the use of the information contained herein. Except as otherwise expressly permitted by HSB in writing, no portion of this article may be reproduced, copied, or distributed in any way. This article does not modify or invalidate any of the provisions, exclusions, terms or conditions of the applicable policy and endorsements. For specific terms and conditions, please refer to the applicable endorsement form.

Monique Ferraro

Monique is counsel in Munich Re’s US Cyber Practice at HSB. Previously, she was principal at a digital forensics, e-discovery and information security consulting firm and owner of a law firm. Ms. Ferraro is a Certified Information Systems Security Professional.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.