Blasé Capital 2fa FROM fraud

Beginning yesterday, the central bank introduced several measures to counter online frauds, and reduce illegal payments. One of the most prominent among them is the so-called ‘two-step factor authentication (2FA),’ which is mandatory for digital payments and, according to media reports, will “fundamentally change how users pay via UPI, cards, and mobile wallets.” The mode will become tougher and more complex, even as it turns safer and secure. Over the past few years, the central bank has repeatedly expressed concerns over the rising number of online frauds such as phishing, and SIM-swap scams. It concluded that the single step OTP (one-time password) regime was fraught with risks, and users were being taken for rides by fraudsters based faraway in small towns, and even villages. The scandals were highlighted, and were publicly known because of several OTT series in the recent past. The public was scared, and afraid to opt for online deals.

Every digital payment will be verified at least twice, or in what is being called the use of two independent factors. Of course, OTP will remain the main one, possibly the first one. But it will be followed by another verification such as PIN, password, biometrics, or secure token. Thus, the payments will take longer, and consumers will need to carefully input both steps correctly. But it will make life safer for the users. According to a media report, this will lead to a risk-based system. Deals via trusted devices, or routine small payments “may remain quick and seamless.” But high-risk transactions, large payments, or new devices “may trigger additional verification steps.” Accountability norms for banks are tightened to place more responsibilities on them. Hence, the payment platforms will become safer and secure. Thus, the onus shifts to both the users, and banks, rather than just users.

However, there are a few tricky areas. In most cases, online frauds, including phishing, work because the users are taken in by the criminals because the former believe implicitly in the latter. In other instances, they are completely fooled. According to experts, in phishing, “attackers deceive people into revealing sensitive information, or installing malware such as viruses, worms, adware, or ransomware. Phishing attacks have become increasingly sophisticated, and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim navigates the site, and traverses any additional security boundaries with the victim.” Clearly, whether it is a one-step OTP, or 2FA process, the fraudsters can either goad the users into

revealing them (information), or observe everything online. “Modern phishing campaigns increasingly target multi-factor authentication (MFA) systems, not just passwords. Attackers use spoofed login pages, and real-time relay tools to capture both credentials and one-time passcodes,” explains information on a public-domain website.

In some instances, phishing kits are designed in such a manner to deliberately and consciously bypass, and overrule 2FA by “immediately forwarding stolen credentials to the attacker’s server.” A blog post (2024), which is two years old, reveals the unprecedented rise of “adversary-in-the-middle” phishing attacks, which intercept session tokens, and allow the attackers to substitute as the victims. Phishing techniques and vectors include email spam, vishing (voice phishing), target phishing (spear phishing, whaling), smishing (SMS), quishing (QR code), and cross-site scripting.” Thus, this clearly establishes that the phishing techniques are

way ahead of the central bank’s 2FA, and India is way behind the criminals. This is invariably the case as legislators, regulators, and law-enforcers, are inevitably two steps, or two-factors behind the fraudsters. In a sense, the regulator’s 2FA can easily be side-stepped, or jumped by the 3FA-4FA criminal system. The hands of the law may be long, but the minds of outlaws are large.

Social engineering is an integral part of phishing and online frauds. This involves a system that tricks the users to perform actions such as clicking a link, open an attachment, and reveal sensitive information. The criminals pretend to be trusting entities, or create a sense of urgency. The former may, for example, ape a renowned bank or payment mode. The latter may shock the users that their electricity or water, or other utilities may be shut down within 24 hours. “An alternative technique to impersonation-based phishing is the use of fake news articles to trick victims into clicking on a malicious link. These links often lead to fake websites that appear legitimate, but are run by attackers who may try to install malware,” explains a website. Thus, 2FA, or more complexity will not solve the problem because online frauds involve not just objectivity, authentication, but subjectivity (emotions and sentiments). Central bank plays a limited role.

A few years ago, a teenage hacker, and his accomplices set up a fake website that resembled Twitter’s (now X) internal VPN provider used for remote working employees. Posing as a help desk, they urged employees to submit their credentials. Using these, the hackers seized control of high-profile accounts such as those of former president, future president, corporate account of a renowned tech firm, and future owner of X. They approached other users, and legitimately (though illegally) promised to double returns on bitcoin. They collected more than a dozen bitcoins, or more than $1,00,000 then. Imagine, if similar techniques were used in India. 2FA will become F-minus.