Last updated at Mon, 30 Oct 2023 20:56:17 GMT

If you work within a European financial institution, you’re probably anticipating the new Secure Customer Authentication (SCA) standard with both dread and excitement. On the one hand, it’s another regulation to understand and comply with; on the other, it promises a level of payment security that will better protect your business and its merchants.

Of course, any new security regulation also attracts the attention of fraudsters and cybercriminals. They view these regulations as a challenge, not a threat, and are quick to seek out workarounds that they often have in place well before the regulation goes into effect. With that in mind, it’s safe to assume that the fraudsters are able to bypass SCA.

Not fraud-proof

Earlier this year, we partnered with Riskified to understand how well-versed fraudsters are with PSD2 and the SCA security measures required by the new regulation. By exploring the dark web, we quickly learned that threat actors have been busy developing new attack vectors to bypass SCA.

Fraudsters use a mix of technological know-how and social engineering to circumvent the additional protections of two-factor authentication (2FA), which is at the core of SCA. Financial institutions, third parties, and e-commerce merchants alike should be aware of the authentication weak spots that are being exploited, so they can better protect themselves.

The 3 primary ways that threat actors bypass 2FA are:

Malicious accessibility: Exploiting either known or zero-day software or firmware vulnerabilities; or a more sophisticated fraud MO of using malware to compromise authentication systems.

Social engineering: The practice of sending seemingly official business emails/SMS (phishing/smishing) to steal sensitive personal information from legitimate customers.

SIM swapping: Intercepting one-time-passwords (OTP) sent via text message by tying the cardholder’s mobile device to a new SIM card controlled by the fraudster.

Validating the authentication mechanism

Now more than ever, it’s imperative that all parties involved in a transaction that is protected under the new SCA standard (i.e., the bank, the service providers, and the customers), understand how to measure security risk associated with the transaction, especially with the additional vectors that cybercriminals will use to take advantage and exploit the process. This responsibility may be the most onerous for the third-party service providers who will be responsible to not only ensure that the transfer of customer data is secure and authenticated properly, but also to take additional measures to prove that they have not been compromised or impersonated.

Regardless, all parties should take advantage of the intelligence and security solutions that can help them move to become more proactive in measuring both their security posture and also how aligned they are with the controls in the new standard.

Read "Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report" for a deep dive into the dark web to learn how PSD2 impacts fraudulent activity and fraud prevention.


Get the latest stories, expertise, and news about security today.