Everything You Need To Know About Credit Card Two Factor Authentication
4 min readEarlier this year, the Bangko Sentral ng Pilipinas (BSP) issued BSP Circular 958 that requires banks and credit card companies to employ better security measures to prevent banking fraud. According to a report by BusinessWorld, the circular aims to tighten security against “card-not-present†schemes where hackers use online tools to steal money.
With online transactions becoming more common nowadays, criminals are turning away from conventional modes of stealing like ATM skimming and fraud. The internet has become their brand-new tool. This is where the new security measures come in and one of them is what is called multi-factor authentication.
The Philippines may be quick to adapt to new technology, but we often blindly follow the latest trends without reading the fine print. To protect your online transactions, especially your online credit card use, learn more about multi-factor authentication and why you should pay attention more to its use.
More layers of security to peel
Two-factor authentication (2FA) has been around for a while, with Google being one of the companies that first brought the measure to mainstream consciousness in 2011. Companies, especially those in the financial sector, have seen how effective it is in mitigating fraud and more and more of them are adopting 2FA to verify user identity.
How does it work? 2FA allows the users to verify their identity through another means aside from the standard password/PIN entry. This form of security clearance will use what you know (your ATM PIN or credit card CVV, which is the three-digit number on the back of your physical card) and what you have (in most instances, your smartphone). Think of 2FA as putting two locks on your door and you won’t be able to open them without two different keys.
Confused? Well, let’s just say the usual security protocol for digital transactions is the use of a password. Since databases can be broken and passwords can be copied, it’s important to give the user an added security token that only they can have. So, if hackers have breached your bank’s password storage and gotten your password, they will still find it difficult to access your account or use your credit card as they will not be given the one-time code that only you’ll receive when you make a transaction. Obviously, you won’t authenticate any transaction using your card that you haven’t done, right?
In most cases, upon making a transaction, you will get an SMS containing a one-time pin or a message through your banking app, asking you to give the transaction a green light. The sale will not proceed if the system didn’t receive these 2FA keys. This will make it near impossible for hackers to access your account unless they’ve stolen your smartphone too, which is the most common tool used in multi-factor authentication. In addition, most of them make use of one-time passkeys that are only valid for a specific transaction.
Of course, the 2FA isn’t airtight, especially since almost all extra verification steps require a separate gadget. In 2015, YugaTech reported a flaw in the 2FA. Some of the risk factors include SIM cloning, physical theft of the smartphone, and SIM swap scam. In addition, robbers who take your ATM or credit cards, as well as your smartphone, can easily facilitate 2FA with your smartphone in their hands and access your account with ease.
Proactive protection
While risks still exist, multi-factor authentication is still your best line of defense against online fraud. It’s better than leaving your accounts exposed to hackers without an additional layer of security. If you want to go beyond 2FA to protect your credit cards and other online transactions, here are some of the things you can do:
Check if the website you’re using is verified. You don’t need Mr. Robot skills to do this. To know if the website you’re using is secure and verified, look for the lock logo beside the address bar and see if the certificate is issued to the entity you’re dealing with. In addition, secure websites use https protocol instead of mere http, which means intruders won’t be able to tap into your connection to the website you’re visiting.
Scrub your login credentials from your computer. Whether you’re working on your own device or using an office computer, it’s important to keep sensitive information away from prying eyes. You can use the clear browsing data†function on your browser to delete website history, stored login credentials, cookies, and other pieces of information that can be used to gain access to your bank account.
Keep an eye on phishing emails. Some criminals spoof messages from banks to trick users into keying in their sensitive information such as credit card number and CVV in a website that looks exactly like a bank’s online portal. To know if the sender is legit, keep an eye out for tiny details such as terrible grammar, dubious top-level domains, and other out of place elements. We covered this in depth in one of our previous articles.
The shredder is your friend. No, we’re not talking about Shredder from Teenage Mutant Ninja Turtles. Sensitive documents like bank statements, old credit cards, application forms, and other papers should go to the shredder before you throw them. If you don’t have a shredder, safely burn your documents and cut magnetic stripe cards.
Avail of your bank’s proprietary tokens. Some banks like Citi and HSBC allow their customers to avail of proprietary security tokens that generate one-time passwords whenever they need to authenticate a transaction. Even if you lose your smartphone, you can still complete a 2FA process.