This article is carrying on from last week’s article, Something You Know, Something You Have or Something You Are, which gave some advice on rolling out multi-factor authentication in your organisation.
Let me just say (again), MFA has its issues, it can be defeated by threat actors, sometimes very simply, but you still must use it where and whenever you can. It is an essential barrier between the systems you need to keep private and those criminals who want to gain access.
MFA v. 2FA
Before talking about the specific attack I want to focus on today, I want to clarify the type of authentication you should be looking for and using.
It is not the “receive a text message with a code that you type into a response box” – this is often referred to as two factor authentication (2FA) and is where authentication started. It is vulnerable to exploitation (CISA a. 2022) and is considered less secure than authentication that uses a validated smartphone app or hardware device – often referred to as multi-factor authentication.
Now I have been challenged over this by clients, so let me add two exceptions to this:
- If your supplier only offers text message authentication – use it. Many banks use this method and have extra security steps in place to protect you.
- Text authentication has its place in verifying your identity – it establishes a link between the phone that you own and use and the supplier. Microsoft and Google both use this method of identifying you – but prefer an authenticator app when it comes to accessing your account. They still offer text message only authentication for those users without a smartphone.
Now for the attack
When threat actors get access to stolen credentials – something that is readily available on the Dark Web – they have computer systems that will try and log into most if not all of the major online systems using those compromised credentials. This is to see if they were quick enough to try before the user realised the credentials were compromised so had not yet changed them and to see if the user was lazy and used the same password across multiple services.
Now if you have not changed the password because you are unaware your business password is compromised, you will get an MFA request when the threat actor tries to log in. You will decline it because you know it is not you. However the hackers have found out that if they bombard users with MFA requests by repeatedly trying to log in, some users will suffer security fatigue, and just hit accept and let them in. (CISA b. 2022)
Of course you will not do that now – and here are two more things you should do if you get spurious MFA requests:
- Using secure methods immediately change the password on that account – or notify your IT/cyber security support to do it for you.
- If you changed your own password – notify your IT/cyber security support so they are aware. Other accounts may be under attack.
- Check the activity on the compromised account – just in case – your IT/cyber-security should do this for you, if you have notified them.
- If you are doubling up on passwords – go and change them to unique passwords.
What else can you do?
That’s where training your team in what to expect from various cyber-attacks will improve your organisation’s cyber security.
Thursday
I do not have a plan yet for Thursday’s article – it will be a surprise for you and me!
Clive Catton MSc (Cyber Security) – by-line and other articles
Further Reading
Multi-Factor Authentication Fact Sheet (cisa.gov)
References
CISA a. (2022). Implementing phishing-resistant MFA. Cybersecurity and Infrastructure Security Agency. Retrieved November 2, 2022, from https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
CISA b. (2022). Implementing Number Matching in MFA Applications. Cybersecurity and Infrastructure Security Agency. Retrieved November 14, 2022, from https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf