Traditionally usernames and passwords have been all that were required to log in to an account. However, with the continuous rise in cybercrime and data breaches, coupled with the fact that around two thirds of people reuse passwords, many companies are turning to Multi-Factor Authentication (MFA) to secure accounts.
As the name suggests, MFA requires a user to verify their identity by using more than one authentication factor. Passwords are generally the first factor (although companies like Google, Apple and Microsoft are pushing for companies to go entirely passwordless), with additional options such as one-time passwords (OTP), security questions or mobile authentication apps boosting protection of user credentials. Implementing MFA is said to prevent between 80-90% of cyberattacks, but what accounts for the other 10-20%?
Not all MFA options offer the same level of protection. While SMS authentication is one of the most popular options due to its convenience, it’s not always the most secure choice.
More and more we are seeing stories of hackers bypassing MFA, most commonly through SIM swap scams. In a SIM swap scam, the criminal will feign your identity and convince your mobile carrier to switch your phone number to their own SIM card. Often all that’s required is your date of birth, home address, and phone number.
Once this is complete, the hacker has access to all of your incoming messages and phone calls. If you have SMS or call-based MFAs enabled, this can grant the hacker easy access to your most sensitive accounts, such as banking or email.
In the past year, there has been a massive upturn in the number of SIM swapping scams. The FBI’s 2021 Internet Crime Report revealed that from the 1,611 reports of SIM swaps, victims lost USD $68 million. In comparison, from January 2018 through to December 2020, there were just 320 complaints and victims reported losses totalling only $12 million.
Although less common, there have also been recent reports of a new malware named Octo which has remote access capabilities, rendering MFA redundant. When a device is infected with Octo, every action the victim makes is tracked by a powerful keylogger, including PINs entered. Then, the malware applies a black screen overlay on the victim’s end, which makes it appear as though the phone has been switched off. This means the hacker can access their accounts without the victim seeing what’s happening. Malware like Octo is generally shared through emails or links, and often victims are completely unaware that they’ve been compromised.
Protecting businesses from an MFA attack
At present, MFA is still the most effective way to protect accounts. Just because it can be bypassed, doesn’t mean it’s entirely useless. However, it’s important that your business is informed on the risks and best practices.
Here are some recommendations we make to businesses implementing MFA:
1. Strengthen your passwords
Make sure your passwords are strong and unique – they should not contain any easily guessed or personal information such as your name or birthday. Read our blog on how to make your passwords more secure here.
2. Consider adding a password manager to your security stack
Password managers, like LastPass, are the most secure way of protecting the passwords in your business. As long as you remember your master password, the rest are encrypted and protected from unauthorised parties.
3. Use authenticator apps to verify identity
If the option is available, authenticator apps are much more secure. Companies like Microsoft, Google and Salesforce offer them as a free download, and although they’re on your mobile, they’re not linked to your phone number which means they can’t be accessed if your SIM is compromised.
When you’re trying to sign-in to your account, your mobile will receive a push notification with a OTP, or the app will allow you to accept or deny the login attempt. The notifications often expire after a couple of minutes, adding an extra layer of security.
4. Limit what information you share online.
If your account isn’t private, hackers can quickly find out sensitive information such as your birthday, mother’s maiden name, best friend’s name, pet names, and sometimes even your home address.
Even worse, think twice before completing a fun online quiz promising to predict your future, or to tell you what personality type you are. Cheap and seemingly innocuous quizzes and surveys are often a front for cybercriminal organisations that are trying to gather information that will help them compromise your accounts. “What are your pets names? When were you born? What’s the name of the street that you first lived in? Enter your email address and we’ll send you your rockstar stage name!”
And, when viewing and sharing your own profile, most social media sites give you the option to view it as a member of the public, so you know exactly what information is visible.
5. And lastly, use biometric authentication methods for MFA where possibleWhile receiving a OTP via SMS may be convenient, it may not be the most secure MFA option (unless it’s the only one). Unique biometric signatures like fingerprints, iris scans, facial and voice recognition, are just some of the biometric options employed across devices and apps that are far more difficult for scammers to compromise.
Protecting businesses with MailGuard
MailGuard recommends using MFA to secure business accounts and encourages businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
In the spirit of zero-trust, employ multi-factor authentication, coupled with a multi-layered and multi-vendor approach to your email security, so that the cybercriminals have multiple gates to bypass when attempting to compromise a business.
Fortify your defences
No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a specialist cloud email security solution like MailGuard to enhance your Microsoft 365 security stack.
For more information about how MailGuard can help defend your inboxes, reach out to our team at firstname.lastname@example.org.
Share your thoughts by adding a comment, and stay up-to-date with MailGuard's latest blog posts by subscribing to free updates with the button below.