In part one of this blog series we talked all about the basics of Multi-Factor Authentication, but just so you're up to speed, here's a quick summary.
MFA refers to an approach to securing accounts by requiring multiple forms of authentication of identification for a user to complete a login attempt. These multiple forms of authentication are composed of:
- Something you know: your standard username and password.
- Something you have: security tokens the user physically or digitally has access to. These types of authentication include physical security tokens, one-time passwords, or authentication applications.
- Something you are: biometric security measures; things like retinal scanning, fingerprint scanning, and voice recognition.
It's likely that many of your employees are already utilizing MFA for their personal accounts without even realizing it. Many applications and cloud services have required MFA for years. If you're curious if the specific applications and services your business uses are designed for MFA check out twofactorauth.org.
So now that you're refreshed on what MFA is...what is it actually able to protect you from, and why should you enable it whenever possible?
Phishing and Its Variants
Phishing is a cybercrime in which an individual is sent an email, text, or receives a phone call purporting to be from an individual posing as a trusted company or contact in order to gain valuable personal information such as passwords, bank information, or specific account details. The most common phishing scams businesses need to be aware of include every day phishing scams and spear phishing.
This is a mass email sent to an unknown number of recipients pretending to be someone the individual trusts. An example of this type of phishing would be an employee receiving an email from their company's bank prompting them to log in and address an alert by clicking the link provided in the email. This link directs the user to a fake login page, that often looks identical to the bank's actual login page, the hacker can then capture the individual's username and password.
Spear phishing is the same general idea as the above phishing attempt but instead of targeting a large group of potential victims, the email is carefully crafted and sent to a particular individual of high rank within the company, or appears to be coming from someone of high rank in the company. These types of attacks are often successful because of the level of personalization in the emails.
According to Symantec, in 2017 spear phishing emails were the most widely used form of infection and attack, used by 71% of cyber criminals. It was also reported in 2018 that the number of overall phishing attacks increased by 250%, and in 93% of breaches phishing was a major factor. Both of these statistics show cause for concern and indicate a need for better security measures.
Brute Force Attacks and Credential Stuffing
Brute force attacks are when hackers use powerful hardware and sophisticated applications to automate a couple different types of attacks. The first type automatically attempts to log in using random variants of possible usernames and passwords, while the second type of attack uses a list of commonly used and easy to guess passwords (Ex: Password123) to try and gain access to accounts.
Credential stuffing is when an attacker uses an already known username and password on other accounts, taking advantage of the fact that people commonly use the same login credentials for multiple, if not a majority, of their accounts.
Hackers have access to sophisticated software that can try 350 billion guesses per second, meaning even passwords up to 12 characters long can be vulnerable to attack. They also often use what is called a "dictionary attack" trying various words in the dictionary leaving passwords smaller than seven characters also vulnerable.
in 2017 hacking attempts like these increased by 400% and as software and cyber criminals both get smarter and more effective, this is only going to increase.
This form of attack occurs when an attacker compromises a device and installs software that captures every keystroke on that device. This gives the attacker access to the following and more:
- Answers to security questions
- Personal information
- Websites visited
This is an especially difficult to detect and one that is easy for hackers to pull off due to the abundance of keylogging software. Keylogging software that was once only available to governments has now been packaged in easy to use bundles, sold to spying parents, significant others, and employers. And if parents can get it, doesn't it make sense that cybercriminals can? Cybercriminals can use this software to gain access to everything they need to reach further into your business, including all the way to your customer data. The criminals behind the "PunkyPOS" attack did precisely that - using keyloggers and malware, they hacked into the point of sale terminals for hundreds of US restaurants and stole the sensitive information of thousands of customers.
Each of these various attack types can be deterred using MFA, which is why we continually reinforce its importance and recommend it to everyone. Even if a phisher gains access to your username or password, or a hacker is able to brute force your credentials, or is successful in installing a keylogger giving them access to personal information, without the other security identifiers required by MFA - something you have and something you are - the likelihood that their attack will be successful is significantly lowered. If you have the ability to employ a simple, and free security measure to protect your data, business, employees, and customers from the most common types of attacks, why wouldn't you do it?
As we mentioned in part one, for many applications and cloud services, enabling multi-factor is as simple as the account administrator clicking a button. If you're unsure of the best way to go about the transition to utilizing MFA get in contact with your IT department (we recommend you do that before making any major changes anyway!) and if you don't have an IT department, give us a call! We would love to make sure your security is working the way it should and you're protected against various threats.