The security blogger Brian Krebs wrote in late December about how his PayPal account was hacked by cybercriminals linked to ISIS, through PayPal's "lazy authentication." An attacker called PayPal’s customer service call center and managed to impersonate Krebs and reset his password by providing the last four digits of his Social Security number and the last four numbers of an old credit card account. PayPal had given Krebs a key fob that generates security passcodes for two-factor authentication, but did not require the passcode for a password reset.
PayPal said in a statement that its standard procedures were not followed in this case. "While the funds remained secure, we are sorry that this unacceptable situation arose and we are reviewing the matter in order to prevent it from happening again," the company wrote.
The story illustrates one of the many places where the balance between convenience and security is delicate.
"The way to solve that problem is to take a very harsh stance — for instance, 'if we've issued you a multifactor token and you lose it, we can't help you get access to your account,'" said Dominic Venturo, chief innovation officer at U.S. Bank. "That wouldn't go over well in the banking industry. So as a result, you've got to balance that carefully."
Consumers are starting to be aware of and demand two-factor authentication, and bank regulators are starting to demand it too (especially in New York). Challenge questions (such as your first pet's name) are no longer enough to provide that second factor, because the answers are too easy to find on the Internet. In 2016, we’ll see more banks adopt mobile authentication, sending a passcode to the user’s smartphone via text message or email.
http://www.americanbanker.com/news/bank-technology/are-you-ready-for-the-cybersecurity-challenges-of-2016-1078663-1.html