Account takeover fraud involves cybercriminals using stolen credentials to access online accounts, with financial institutions often targeted due to their monetary value. Despite growing adoption, the effectiveness of cybersecurity measures like two-factor authentication (2FA) remains underexplored. This study evaluates 2FA as a target hardening strategy within the situational crime prevention (SCP) framework. Using a natural experimental design, we analyzed cyber threat intelligence from illicit markets between March 2021 and February 2022, during which three major Canadian banks implemented 2FA, two optionally and one mandatorily. Bayesian time series analysis revealed that mandatory 2FA significantly reduced the number of compromised bank accounts, whereas optional 2FA did not. These findings inform crime prevention policy and contribute to theoretical developments in cybercrime research.
AbdullahA. K. (2004, October8). Protecting your good name: Identity theft and its prevention [Conference session]. 1st Annual Conference on Information Security Curriculum Development, Kennesaw, Georgia (pp. 102–106).
2.
AcemyanC. Z.KortumP.XiongJ.WallachD. S. (2018). 2FA might be secure, but it’s not usable: A summative usability assessment of Google’s two-factor authentication (2FA) methods. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 62(1), 1141–1145.
3.
AhmadA.HadgkissJ.RuighaverA. B. (2012). Incident response teams–Challenges in supporting the organisational security function. Computers & Security, 31(5), 643–652.
4.
BansalG.MuzatkoS.ShinS. I. (2021). Information system security policy noncompliance: The role of situation-specific ethical orientation. Information Technology & People, 34(1), 250–296.
5.
BauerS.BernroiderE. W. (2017). From information security awareness to reasoned compliant action: Analyzing information security policy compliance in a large banking organization. ACM SIGMIS Database: The DATABASE for Advances in Information Systems, 48(3), 44–68.
6.
BazzellM. (2023). OSINT Techniques: Resources for Uncovering Online Information (10th ed.). Inteltechniques. com
7.
BeebeN. L.RaoV. S. (2005, December). Using situational crime prevention theory to explain the effectiveness of information systems security [Conference session]. 2005 SoftWars Conference, Las Vegas, NV (pp. 1–18).
8.
BossS. R.GallettaD. F.LowryP. B.MoodyG. D.PolakP. (2015). What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quarterly, 39(4), 837–864.
9.
BossS. R.KirschL. J.AngermeierI.ShinglerR. A.BossR. W. (2009). If someone is watching, I’ll do what I’m asked: Mandatoriness, control, and information security. European Journal of Information Systems, 18, 151–164.
10.
BulgurcuB.CavusogluH.BenbasatI. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34, 523–548.
11.
BuxtonJ.BinghamT. (2015). The rise and challenge of dark net drug markets. Policy Brief, 7(2), 1–24.
12.
CavusogluH.MishraB.RaghunathanS. (2005). The value of intrusion detection systems in information technology security architecture. Information Systems Research, 16(1), 28–46.
13.
ClarkeR. V. (1983). Situational crime prevention: Its theoretical basis and practical scope. Crime and justice, 4, 225-256.
14.
ClarkeR. V. (1995). Situational crime prevention. Crime and justice, 19, 91-150.
15.
CornishD. B.ClarkeR. V. (2003). Opportunities, precipitators and criminal decisions: A reply to Wortley’s critique of situational crime prevention. Crime prevention studies, 16, 41-96.
16.
DasS.WangB.TingleZ.CampL. J. (2019). Evaluating user perception of multi-factor authentication: A systematic review. arXiv preprint arXiv:1908.05901.
17.
De CristofaroE.DuH.FreudigerJ.NorcieG. (2013). A comparative usability study of two-factor authentication. arXiv preprint arXiv:1309.5344.
18.
FisherT.PieriZ.HowellC. J.O’MalleyR.TremblayL.DawoudM. (2025). Vendor communication themes in darknet Ransomware-as-a-Service (RaaS) advertisements. Computers in Human Behavior, 165, Article 108571.
19.
GrassiP. A.FentonJ. L.GarciaM. E. (2017). Digital identity guidelines [including updates as of 12-01-2017]. NIST.
20.
GueretteR. T.BowersK. J. (2009). Assessing the extent of crime displacement and diffusion of benefits: A systematic review of situational crime prevention evaluations. Criminology, 47(4), 1331–1368.
21.
HanD.ChenY.LiT.ZhangR.ZhangY.HedgpethT. (2018, October 29–November 8). Proximity-proof: Secure and usable mobile two-factor authentication [Conference session]. 24th Annual International Conference on Mobile Computing and Networking (pp. 401–415). New Delhi, India.
22.
HowellC. J.FisherT.MunizC. N.MaimonD.RotzingerY. (2023). A depiction and classification of the stolen data market ecosystem and comprising darknet markets: A multidisciplinary approach. Journal of Contemporary Criminal Justice, 39(2), 298–317.
23.
HowellC. J.MaimonD. (2022, December2). Darknet markets generate millions in revenue selling stolen personal data, supply chain study finds. The Conversation.
IfinedoP. (2014). Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information & Management, 51(1), 69–79.
26.
IfinedoP. (2016). Critical times for organizations: What should be done to curb workers’ noncompliance with IS security policy guidelines? Information Systems Management, 33(1), 30–41.
27.
JansenJ.LeukfeldtR. (2016). Phishing and malware attacks on online banking customers in the Netherlands: A qualitative analysis of factors leading to victimization. International Journal of Cyber Criminology, 10(1), 79.
28.
JareckiS.JuburM.KrawczykH.SaxenaN.ShirvanianM. (2021). Two-factor password-authenticated key exchange with end-to-end security. ACM Transactions on Privacy and Security, 24(3), 1–37.
29.
KawaseR.DianaF.CzeladkaM.SchülerM.FaustM. (2019, September17–20). Internet fraud: The case of account takeover in online marketplace [Conference session]. 30th ACM Conference on Hypertext and Social Media, Hof, Germany (pp. 181–190).
30.
KhariM.GaurM.TutejaY. (2013). Meticulous study of firewall using security detection tools. International Journal of Computer Applications & Information Technology, 2(I), 2278–7720.
31.
KontaxisG.AthanasopoulosE.PortokalidisG.KeromytisA. D. (2013, November4–8). SAuth: Protecting user accounts from password database leaks [Conference session]. 2013 ACM SIGSAC Conference on Computer & Communications Security, Berlin, Germany (pp. 187–198).
32.
LeatherdaleS. T. (2019). Natural experiment methodology for research: A review of how different methods can support real-world research. International Journal of Social Research Methodology, 22(1), 19–35.
33.
LeeC.LeeK. (2021). Factors affecting corporate security policy effectiveness in telecommuting. Security and Communication Networks, 2021, 1–13.
34.
MaimonD.HowellC. J.MoloneyM.ParkY. S. (2023). An examination of email fraudsters’ modus operandi. Crime & Delinquency, 69(11), 2329–2358.
MeyerL. A.RomeroS.BertoliG.BurtT.WeinertA.FerresJ. L. (2023). How effective is multifactor authentication at deterring cyberattacks?arXiv preprint arXiv:2305.00945.
37.
MohammedM. M.ElsadigM. (2013, August26–28). A multi-layer of multi factors authentication model for online banking services [Conference session]. 2013 International Conference on Computing, Electrical and Electronic Engineering (ICCEEE), Khartoum, Sudan (pp. 220–224). IEEE.
38.
MooreP. (2014). Does two factor authentication actually weaken security?Paul Reviews.
39.
MridhaM. F.NurK.SahaA. K.AdnanM. A. (2017). A new approach to enhance internet banking security. International Journal of Computer Applications, 160(8), 35–39.
40.
O’GormanL. (2003). Comparing passwords, tokens, and biometrics for user authentication. Proceedings of the IEEE, 91(12), 2021–2040.
41.
OuelletM.MaimonD.WuY.HowellC. J. (2022). Open-source intelligence in online stolen data markets: Assessment of network disruption strategies. CrimRxiv.
42.
PeltierT. R. (2016). Information security policies, procedures, and standards: Guidelines for effective information security management. CRC Press.
PetsasT.TsirantonakisG.AthanasopoulosE.IoannidisS. (2015, April21). Two-factor authentication: Is the world ready? Quantifying 2FA adoption [Conference session]. Eighth European Workshop on System Security, Bordeaux, France (pp. 1–7).
VaithyasubramanianS.ChristyA.SaravananD. (2015). Two factor authentications for secured login in support of effective information preservation and network security. ARPN Journal of Engineering and Applied Sciences, 10(5), 2053–2056.
50.
VanceA.SiponenM.PahnilaS. (2012). Motivating IS security compliance: Insights from habit and protection motivation theory. Information & Management, 49(3–4), 190–198.
51.
VenkateshV.DavisF. D. (2000). A theoretical extension of the technology acceptance model: Four longitudinal field studies. Management Science, 46(2), 186–204.
52.
WeirC. S.DouglasG.RichardsonT.JackM. (2010). Usable security: User preferences for authentication methods in eBanking and the effects of experience. Interacting with Computers, 22(3), 153–164.
53.
WillisonR.WarkentinM. (2013). Beyond deterrence: An expanded view of employee computer abuse. MIS Quarterly, 37, 1-20.
54.
Yeboah-BoatengE. O.AmanorP. M. (2014). Phishing, SMiShing & Vishing: An assessment of threats against mobile devices. Journal of Emerging Trends in Computing and Information Sciences, 5(4), 297–307.
