Published: February 14, 2023 on our newsletter Security Fraud News & Alerts Newsletter.
In a world where technology can change in the blink of an eye, staying safe online can be a real challenge. Security steps that work today may be exploited tomorrow, so keeping up to date has never been more important. A report by the U.S. government’s Cybersecurity & Infrastructure Security Agency (CISA) gives us a closer look at multi-factor authentication (MFA) identity verification tool. Below are highlights of their “Implementing Phishing-Resistant MFA” report that we can all learn from, especially those responsible for implementing an organization’s MFA practices.
The MFA Way
MFA is a security control that requires a user to present a combination of two or more different authenticators (something you know, something you have, or something you are) to verify their identity for login. MFA makes it more difficult for cyber threat actors to gain access to networks and information systems…With MFA enabled, if one factor, such as a password, becomes compromised, unauthorized users will be unable to access the account if they cannot also provide the second factor.
According to Microsoft Security, 80-90% of cyberattacks can be prevented using MFA. CISA has consistently urged organizations to implement MFA for all users and for all services, including email, file sharing, and financial account access. MFA is an essential practice to reduce the threat of cyber threat actors using compromised credentials to gain access to and conduct malicious activity on networks. However, not all forms of MFA are equally secure.
Know the Threats to MFA
With MFA use on the rise as an identity verification tool, you can bet cybercriminals are finding ways to neutralize its protection. CISA finds bad actors are using the following four methods for stealing, intercepting, and otherwise getting their hands on MFA credentials. So, for individual users and those in IT, be aware these threats are being used to target MFA.
Phishing. In a widely used phishing technique, a threat actor sends an email to a target that convinces the user to visit a threat actor-controlled website that mimics a company’s legitimate login portal. The user submits their username, password, as well as the 6-digit code from their mobile phone’s authenticator app.
Push bombing. Cyber threat actors bombard a user with push notifications until they press the “Accept” button, thereby granting threat actor access to the network.
SS7 protocol. Cyber threat actors exploit SS7 protocol vulnerabilities to obtain MFA codes sent via text message (SMS) or voice to a phone.
SIM Swap. SIM Swap is a form of social engineering in which cyber threat actors convince cellular carriers to transfer control of the user’s phone number to a threat actor-controlled SIM card, which allows the threat actor to gain control over the user’s phone.
It’s good to know CISA is there providing support for using MFA safely at home and work. They have fact sheets available on their website in more detail about using MFA protocols and guidance for using it safely. CISA welcomes everyone to visit their site and learn more about staying safer online, including those in IT responsible for implementing MFA for their organization.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at advisor@nadicent.com